The EC2 Instance doesn't need to have outbound internet access (NAT or IGW).
I've had similar issues in the past, ensure you have all three service endpoints setup (Security Group & Subnet mappings):
Security Group for the Endpoints should allow HTTPS access from your VPC range (or narrowed down), and if you've modified the outbound rules on your Instance's Security Group - verify that too.
For completeness: issue was missing of Private DNS for Endpoints.
SageMaker Studio projects in VpcOnly mode without internet accessAccepted Answerasked 2 years ago
Access Secrets Manager from EC2 without Endpointasked a month ago
Allow Lambda to Access AWS Services+VPC+Internetasked 5 months ago
How can Ec2 Instance in private subnet access internet via vpc endpoint?Accepted Answerasked 5 months ago
Does Image Builder support build and test an image in a private VPC subnet without internet access?Accepted Answer
Placing a Bastion in a Private Isolated Subnetasked 10 months ago
Session Manager for EC2 without internet accessAccepted Answerasked 2 years ago
How to create a no-internet access (private) subnet?Accepted Answerasked 13 days ago
AWS Elastic Beanstalk Running in Private VPC without internet access
Access to Public S3 within private subnet in VPC without Internetasked 3 years ago