EC2 Instance Connect Endpoint blocks ports other than 22 and 3389

On June 14th, 2023 AWS launched new connectivity options for EC2 Instance Connect - https://aws.amazon.com/blogs/compute/secure-connectivity-from-public-to-private-introducing-ec2-instance-connect-endpoint-june-13-2023/

This was a great improvement as it allowed direct secure access to RDS databases in private subnets without having to go through an existing EC2 instance (either via SSH or AWS SSM). In our particular case we have no need to run any EC2 instances at all as we're "serverless".

Around June 28th this stopped working.

Running the following:

aws ec2-instance-connect open-tunnel \
  --private-ip-address <IP-ADDRESS-WAS-HERE> \
  --instance-connect-endpoint-id "<ENDPOINT-ID-WAS-HERE>" \
  --remote-port 5432 \
  --local-port 5432 \
  --region us-west-2

now returns

Listening for connections on port 5432.
[1] Accepted new tcp connection, opening websocket tunnel.

awscli.customizations.ec2instanceconnect.websocket - ERROR - {"ErrorCode":"InvalidParameter","Message":"The specified RemotePort is not valid. Specify either 22 or 3389 as the RemotePort and retry your request."}

AWS_ERROR_HTTP_WEBSOCKET_UPGRADE_FAILURE: Failed to upgrade HTTP connection to Websocket.

Now of course we can spin up an EC2 instance and use SSH or AWS SSM to port forward access to our database, but the original approach worked fantastically and reduced our security and audit burden. Can anyone from AWS comment on why the pre-existing solution was disabled and if we can expect it to be fixed in the future?