AWS Cloudfront - InvalidKey Unknown Key - only when using signed URLs

Hello,

I've been fiddling with Cloudfront+ S3 and can't make signed URLs work.
If the behavior "only allow signed urls/cookies" is disabled everything works as expected, so there must be an obscure config somewhere that I am missing.

I'm getting this error:
<Error>
<Code>InvalidKey</Code>
<Message>Unknown Key</Message>
</Error>

Does not seem related to the S3 path, as stated, if I disable the signed urls settings I get the images displayed as expected through the CDN.

Few notes:

• CF origin is set to the S3 bucket;
• Redirecting http to https;
• The S3 bucket is configured to allow my cloudfront ID;
• The Cloudfront keys were generated by the root account user a few days back;
• The CDN behavior "trusted signers" is set to "self";
• I did not use the root account user to create the CDN distribution - I used another user;
• Also tried restricting the S3 bucket access policy only for Cloudfront but it makes no difference.;

Tried the examples in the documentation without success:
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CreateSignatureInCSharp.html

Also, tried using the AWS SDK (# .net):
//using the AWS SDK
var usingSDKurl = AmazonCloudFrontUrlSigner.GetCustomSignedURL(AmazonCloudFrontUrlSigner.Protocol.https,
"mycloudfrontDomain.cloudfront.net",
privateKey,
resourcepath,
cloudFrontKeyPairID,
DateTime.Now.AddDays(2),
DateTime.Now,
"0.0.0.0/0");

Any ideas on what I might be missing or where I can debug this?