How do I restrict access to an s3 bucket behind a transit gateway?

Suppose I have 2 VPCs, VPC-A and VPC-B. My workspace (where traffic originates from) is in VPC-A, and I have my application in VPC-B. These VPCs are attached by a transit gateway. These VPCs are in two accounts, Account-A and Account-B respectively.

Suppose I want to make a private S3 bucket in Account-B. This S3 bucket houses a static site which we only want to make visible to the interconnected network, VPC-A and VPC-B.

How would I go about doing this without modifying any resources in Account-A?

Note: It seems you cannot just use an S3 Gateway Service Endpoint. As per the docs,

Endpoint connections cannot be extended out of a VPC. Resources on the other side of a VPN connection, VPC peering connection, transit gateway, AWS Direct Connect connection, or ClassicLink connection in your VPC cannot use the endpoint to communicate with resources in the endpoint service.

(This is because a typical "Gateway" Service endpoint works on the principle of actively modifying a subnet's route table so that IPs that match the current public S3 IPs are redirected through the endpoint. If modifications are only in Account-B, then adding these route tables would be impossible)