CloudFront 403 errors with S3 (SSE-S3)

We have an S3 bucket with existing objects, and recently I've enabled SSE-S3 as the Encryption setting for the bucket, as the bucket was not encrypting. So, given this fact, all previously existing objects are not encrypted, but recently created ones are encrypted.

We set up a CloudFront distribution using the S3 bucket as origin, and we allowed the CloudFront console "wizard" to update de bucket policy to allow GeoObject requests from the distribution Origin.

With this setup, all previous S3 objects are accessible via CloudFront, but recently created ones are not. I was thinking of a KMS permission-related problem, but since we are using SSE-S3 and not SSE-KMS, this should not be the case.

Any ideas of what could be the problem? I tried looking in CloudTrail logs, but related events could be found :(

BTW: this is in the us-east-1 (Virginia) region.

This is the error message shown in the browser:

This is the bucket policy:

{
    "Version": "2012-10-17",
    "Id": "S3-Console-Auto-Gen-Policy-1657210423217",
    "Statement": [
        {
            "Sid": "S3PolicyStmt-DO-NOT-MODIFY-1657210422966",
            "Effect": "Allow",
            "Principal": {
                "Service": "logging.s3.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::<MY-BUCKET>/*"
        },
        {
            "Sid": "2",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity <MY-OAI>"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::<MY-BUCKET>/*"
        }
    ]
}

This is the current bucket encryption setting: