Cloudfront with a Lambda@Edge pointing to a private S3

I'm trying to setup a Cloudfront distribution to a S3 bucket using a OAI policy for access to S3 so that I can require connections via CloudFront. This is so I can use a Lambda@Edge to enforce some basic security to keep bots and the basic scans out. It's for a "staging" environment that shouldn't be 100% public for clients to give their approvals for launch.

However, I keep running into "SignatureDoesNotMatch" errors when using the CloudFront URL. It seems when you toggle "Restrict Bucket Access" in CloudFront that it's requiring a Signed URL or a Signed Cookie which I don't want. I just want to be able to access a private S3 bucket with the OAI policy and use a Lambda@Edge to set a "Basic Auth" policy. My code to do the basic auth works, but as soon as I turn on "Restrict Bucket Access" and turn S3 to private it all breaks and I start getting the above "SignatureDoesNotMatch" error.

Is there anyway to get a OAI policy to get to a private S3 bucket while still leaving the CloudFront distribution "public" and relying on the Lamba@Edge shim as my gatekeeper? I don't want requests to be able to by-pass CloudFront and use S3 URLs.

Edited by: rhavenn on Oct 2, 2020 9:25 AM