Presumably each user will be uploading a photo to S3 with a unique prefix and name and also (presumably) you are keeping track of which prefix/name is being used by which user because you need that later. Admittedly this can be done with object metadata but it would be unwise to let the users set their own metadata - you can't (as you point out) trust what the user is doing.
If a presigned URLs was obtained by a malicious user then they can definitely upload an image that will appear to belong to the original user. The best defense here is a short expiry time on the URL. If a malicious user completely "owns" the browser that the target user is using then there isn't much you can do about that.
If a malicious user was to modify the front-end code to appear as another user (presumably to obtain a presigned URL from API Gateway) then the call to API Gateway should fail - because the call should be authenticated and the user identity (that has been modified) will not match the token that is sent to API Gateway. The whole idea of the tokens issued by Cognito is the end-user can't create a fake one.
If your code depends on a field that is controlled by the user in order to generate the persigned URL then I'd suggest that you need to change that so that the user identity is determined from something that the user cannot modify.
Generate S3 Presigned URL with 7 Day Expiry via LambdaAccepted Answerasked 2 years ago
S3 SHA256 Checksum for Presigned URL in File Uploadasked 9 months ago
S3 presigned URLs not working with Safari 15/iOS 15Accepted Answerasked 3 months ago
How to limit s3 mutlipart upload filesize?asked 7 months ago
Upload data to S3 using lambdaasked 3 months ago
S3 presigned url access DeniedAccepted Answerasked 9 months ago
Generate presigned url for S3 Object LambdaAccepted Answerasked 2 years ago
s3 create Presigned Multipart Upload URL using APIasked 7 months ago
S3 multipart upload to presigned URL returns HTTP 500 on OPTIONS requestAccepted Answerasked 10 months ago
How to enable presigned S3 URL for different users?asked 9 months ago