New Account create with Account Factory keep failed to enrolled in ou

I have control tower environment and have few ou, accounts made during landing zone initialization process.

After landing zone creation is done, I made new ou on organization of management account and try to create some accounts with account factory also located in management account.

FYI, i login to management account via SSO user with AWSAdministratorAccess policy

The issue is whenever i tried to create account after account is being made it keep failed to enrolled in ou i specified during create process and management console saying two possible cause of failure.

• your IAM principal lacks the necessary permissions to provision an account. To enroll an existing account, the AWSControlTowerExecution role must be present in the account you're enrolling.
• AWS Security Token Service(AWS STS) is disabled in your AWS account in your home region.

The funnything is im not trying to enroll existing account to ou, its all brand new account. so i think its bit of nonsense AWS said that.

Is anyone encountered situations like this before or now? and if anyone know the cause and workaround it will be really pleasure to get some enlightment from your experiences.