403 status routing traffic through CloudFront to non-AWS custom origin server

We have a domain with a 3rd party Registrar and a dynamic website served from 3rd party servers. I am trying to route traffic through our Registrar, then through CloudFront and then to our custom origin server. Ultimately, we are looking to replace our 3rd party WAF with AWS WAF, but I'm first trying to get traffic routed through CloudFront before adding the WAF layer.

I have created a CloudFront Distribution with an Alternate Domain Name (let's call it aws.example.com) and custom SSL certificate with the same subdomain (aws.example.com) set up through AWS Certificate Manager. I have a CloudFront Behavior set up with the subdomain/Alternate Domain Name as the Origin, Caching disabled, and HTTP redirected to HTTPS. Then in Route 53, I've created a Hosted Zone with an A Record mapping the subdomain/Alternate Domain Name to the static public IP Address of the non-AWS origin server. Finally, at our Registrar, I have a CNAME for the domain name mapping the subdomain "aws" to the Distribution Domain Name for the CloudFront distribution ( e.g. xyz1234.cloudfront.net ).

What I expected was for calls to aws.example.com to route through our Registrar to CloudFront through Route 53 to the non-AWS origin server, but what we get is CloudFront responding with a 403 status. If I go directly to the Distribution Domain Name for the CloudFront distribution, the result is the same. I appears that the traffic stops at CloudFront and that the alternate domain is not passing through Route 53.

What is the correct way to configure this all to route traffic through CloudFront to non-AWS custom origin server?