Why does s3Client.generate_presigned_url not return an error, and instead create a valid looking but invalid URL when the service requesting the presigned URL does not have rights to the S3 resource?

In my python code running as an AWS Lambda function, I request a presigned URL:

 data['url'] = s3Client.generate_presigned_url(
        ClientMethod=self.context['clientMethod'],
        ExpiresIn=self.context['expiresIn'],
        Params=Params)

The request returns a valid looking URL, which I return to my client (actual S3 bucket and account are obscured in this sample):

https://xxx-content-test.s3.amazonaws.com/pa112345/artifacts/Q0BUG4IK/ovQhVz2vw0Li2iuDpmZh?AWSAccessKeyId=XXXXXXXXXXXXXXXX&Signature=DCULJ%2B6XAq0vVXZO%2B0HfFE6Mv70%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEOD%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3Q....

However, when the client tries to use the URL, this 403 response data is returned:

<Error><Code>AccessDenied</Code><Message>User: arn:aws:sts::aaaaaaaaaaaa:assumed-role/xxxx-test-lambda-execution/xxxxxx-server-test-LambdaWebSite is not authorized to perform: s3:PutObject on resource: "arn:aws:s3:::xxxx-content-test/pa112345/artifacts/Q0BUG4IK/ovQhVz2vw0Li2iuDpmZh" because no identity-based policy allows the s3:PutObject action</Message><RequestId>JRVNGVA9BW2E7YCZ</RequestId><HostId>Vn+zB0gVQcIj7jl6ie+F6vyaMyU5hhibhtsUVy7jZ6qD2QSllH+qGb79NkI9f/tOk727WHMOIm0=</HostId></Error>

In fact, my Lambda execution role did not have the correct rights for the S3 resource, which I have addressed.

However, I have 2 questions:

1. Why did the generate_presigned_url request with invalid access rights succeed? It should have returned an error or exception I would think.

2. The 403 error seen by the client when using the generated URL shows way too much information to the end user about my backend infrastructure, including my account ID! Does this seem like a potential security breach?

Thanks for your attention, John Byrne