Hosting Internal Static Website with ALB, S3, and VPC Endpoints - trying to access via SSH tunnel through SSM

I have used this AWS Blog as reference - https://aws.amazon.com/blogs/networking-and-content-delivery/hosting-internal-https-static-websites-with-alb-s3-and-privatelink/ - to host an Angular application for internal access.

Instead of connecting via DirectConnect or a VPN as mentioned, I need to access the Angular app from a local machine using SSH tunnel through SSM. A script establishes a connection to the EC2 bastion as follows:

aws ssm start-session --target $bastion --region eu-west-1 --document-name AWS-StartPortForwardingSessionToRemoteHost --parameters host=$1,portNumber=$2,localPortNumber=$3 &

where the host is the FQDN (matching the bucket name). In the Private Hosted Zone, there is a CNAME record for the FQDN that points to the internal ALB DNS value.

When trying to access the website from a local machine with the SSH tunnel (using http://localhost/index.html), I get the following error:

<Error>
<Code>PermanentRedirect</Code>
<Message>
The bucket you are attempting to access must be addressed using the specified endpoint. Please send all future requests to this endpoint.
</Message>
<Endpoint>s3.amazonaws.com</Endpoint>
<Bucket>index.html</Bucket>
<RequestId>ABCDEFGHIK1234</RequestId>
<HostId>
HzB5MRTSYbssdfgsdfgRu6MPxIO4o52cDik1Z8sdfgsdfg7tFtAUcwucOUHs3DqsdfgsdgHoKNf1sxQ=
</HostId>
</Error>

I have verified that the website does load on the bastion so the internal config is not an issue.

Is it possible to use SSH tunnels over SSM in this scenario or is a VPN required?