Access denied reading SSM parameter even though role has attached policy

I am attempting to read an SSM parameter from the browser. Using the JavaScript AWS SDK I create a new SSMClient

const ssmClient = new SSMClient({
    region: "us-west-2",
    credentials: fromCognitoIdentityPool({
      clientConfig: { region: "us-west-2" },
      identityPoolId: "us-west-2:xxxxx...",
    }),
  });

and then send a GetParameterCommand:

await ssmClient.send(
    new GetParameterCommand({
      Name: "{arn of Parameter}"
    })
  )

The identity pool provides a guest role that has the SSMReadOnly permission:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssm:Describe*",
                "ssm:Get*",
                "ssm:List*"
            ],
            "Resource": "*"
        }
    ]
}

so it should be able to perform ssm:GetParameter. However when I run this in the browser, I get the error:

AccessDeniedException: User: arn:aws:sts::{aws account id}:assumed-role/{role}/CognitoIdentityCredentials is not authorized to perform: ssm:GetParameter on resource: {arn of Parameter} because no session policy allows the ssm:GetParameter action

I also tried a policy statement with no wildcards, i.e. the only action was ssm:GetParameter and Resource was the specific ARN of my parameter. Is there something I'm missing in terms of configuring permissions? For reference, I was able to use a similar pattern of Identity Pool providing a role to Dynamo Read-only permissions in the same application. I also confirmed I can read the parameter in the IAM Policy Simulator.