Multi-account Multi-region config aggregation / recording

I've been trying to setup multi-account config aggregation and recording at org level.

I'd been trying to do it with Terraform, but ended up re-doing it via the console, and also while logged in under the root account for the org, to make sure there weren't delegation issues.

I've got the config aggregator setup, logging to S3, and I'm seeing events come in and getting written, but only from the org account itself. I see the sub-accounts in the aggregator and the status shows up "Ok" for each of them (this was true even previously, when I'd set it up from an IAM account with admin privs), however, I'm not yet seeing any configurations or events coming through. Resources from the org itself are showing up fine.

• Config aggregator is using a custom role based on AWSConfigRoleForOrganizations as well as an sts:AssumeRole policy attachment
• The recorder has "Use an existing AWS Config service-linked role" (AWSServiceRoleForConfig) selected currently

https://docs.aws.amazon.com/config/latest/developerguide/aggregate-data-troubleshooting.html mentions "Enable AWS Config in the source account", but based on the other docs, it seems like that should not actually be necessary with this type of setup?

Presumably since the recorder and aggregator are in the org account, as well as the target bucket, the other accounts within the org don't need any permissions for the bucket, right?

Also, will all the stuff from sub accounts show up under [bucket]/AWSLogs/[org account ID]/Config/us-east-2/2023/2/24/ConfigHistory/ if that's where the aggregator itself is? or would I expect them to show up in the same structure as cloudtrail logs etc. where they're under the org ID and then sub account ID ([bucket]/AWSLogs/o-XXXXXXXX/[sub account id]/Config)?

Aggregator menu view in console

Detail of one sub account's status

Aggregator main page only shows the org account.