S3 Block Public Access + Bucket Policy - Access Denied

We are running an S3 Bucket with a Cloudfront In front of it. Recently we've turned enabled block public access (All four options enabled under Individual Block Public Access settings for this bucket, but now our Fargate ECS instance is getting Access Denied doing a s3client.putobject. Images are able to be pulled through the Cloudfront URLs, s3 object are blocked, but we are unable to upload any new images from our ECS instances. How do we allow the ECS task instances to putObject

A (wide) bucket policy was added:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "1",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::<aws-account>:role/<ecs-task-role>",
                    "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity <OAI>"
                ]
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::<bucket-name>/*",
                "arn:aws:s3:::<bucket-name>"
            ]
        }
    ]
}

The ecs-task-role has AmazonS3FullAccess. We can manually upload to console.

Removing the following two options from block public access does again allow us to put, but then the s3 object urls are public which we want to be non-accessible.

• Block public access to buckets and objects granted through new access control lists (ACLs)
• Block public access to buckets and objects granted through any access control lists (ACLs)