For hosting a webiste I am using a cloudfront distribution under someurl.com. It has a behavior that forwards requests arriving under path path to an API Gateway apigatewayurl.com what hosts an API the website should make use of.
I can reach the API Gateway but problem starts when I do add authorization: I get 403 forbidden.
Authorization should work through a custom authorizer using cookie which is set under the domain someurl.com. The authorizer works fine, I tested that one using the regional API endpoint.
When only adding the authorization my request is blocked at the API Gateway what makes sense as Cloudfront does not forward cookies. I get 403 - unauthorized and I can see in the API Gateway logs that the request makes it to API Gateway.
To forward cookies I added 'ViewerAll' origin policy to the behavior but then API Gateway is not even reaching API Gateway, I do not get any log. My call returns 403 - forbidden.
Any ideas why I get 403 once I enable origin policy in order to forward cookies?