How to implement developer-authenticated identities in cognito in JavaScript SDK v3 - getting 403 InvalidSignatureException response in Client

Question

I am implementing developer-authenticated identities in an Angular app that uses the "Enhanced Workflow" from the official documentation. I followed the official guide for implementing this and am using GetOpenIdTokenForDeveloperIdentityRequest() on the server-side to request a token for my end-user and I'm returning it to my Angular Web Client so that the Web Client can fetch its temporary credentials from Cognito. Unfortunately the guide isn't updated to illustrate how to achieve this in SDK version 3 (and most online questions and solutions also refer to older versions of the SDK) but I'm managing to get a set of credentials back from Cognito. (In the code below I do a console.log that writes out the credentials I receive. Perfect up to that point.)

The problem is that I can't figure out how to properly construct a Service Client to now use these credentials. Below is my attempt. I am constructing a Service Client (in this case LocationClient) and sending through a command on this client (GetDevicePositionCommand). This, however, throws an error and if I inspect the network call that was made I see that the network response when making this call was a 403 error with X-Amzn-Errortype "InvalidSignatureException". The error message is:

"The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method." 

The Canonical String for this request should have been....

Am I using the temporary credentials returned from Cognito correctly to construct the Service Client (LocationClient)? Any ideas on how to resolve this problem? (I have already consulted this troubleshooting guide but I haven't found anything helpful there.) Below is my client-side code from my Angular Web App.

const cognitoIdentity = new CognitoIdentityClient({
    credentials : fromCognitoIdentity({
        identityId: 'IDENTITY_ID_RETURNED_FROM_MY_DEVELOPER_PROVIDER', //IdentityId returned from calling GetOpenIdTokenForDeveloperIdentityRequest() on my server-side
        logins: {
        'cognito-identity.amazonaws.com': 'TOKEN_RETURNED_FROM_MY_DEVELOPER_PROVIDER' //Token returned from calling GetOpenIdTokenForDeveloperIdentityRequest() on my server-side
        },
        clientConfig: {region: "eu-west-1"},
    }),
});

const credentials = await cognitoIdentity.config.credentials()
console.log(credentials) //There's output! So this part works.
  // {
  //    identityId: 'eu-west-1:XXXX',
  //    accessKeyId: 'ALA...',
  //    secretAccessKey: '/XXXXxxxXXXXxxXXXxXXXXX',
  //    sessionToken: 'IQoJb3JpZ2luX2VjEJj//////////...', // sessionToken cut for brevity
  //    expiration: 2024-02-13T08:58:10.000Z
  //  }

const trackingClient = new LocationClient({
    region: 'eu-west-1',
    credentials: credentials,
});

const input = {
    TrackerName: "xxxxx",
    DeviceId: "xxxxxxx",
  };
const posCommand = new GetDevicePositionCommand(input);

try
{
  const response = await trackingClient.send(posCommand); //This line throws an error
}
catch(error){
    console.log('error') //Error caught
};