S3 folder access restriction for Cognito users

Question

I am trying to restrict S3 folder access by AWS Cognito user. The assumed authenticated user role has "sts:AssumeRoleWithWebIdentity" and "sts:TagSession" in its trust policy.

I have this policy attached to my identity pool authenticated user

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PermForCollection1",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::***********/cid-1",
                "arn:aws:s3:::***********/cid-1/",
                "arn:aws:s3:::***********/cid-1/*"
            ],
            "Condition": {
                "StringLike": {
                    "aws:PrincipalTag/cid": "*cid-1*"
                }
            }
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": "arn:aws:s3:::***********"
        },
        {
            "Sid": "VisualEditor3",
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "arn:aws:s3:::***********",
            "Condition": {
                "StringEquals": {
                    "cognito-identity.amazonaws.com:aud": "us-east-1:**************"
                },
                "ForAnyValue:StringLike": {
                    "cognito-identity.amazonaws.com:amr": "authenticated"
                }
            }
        }
    ]
}

ListBucket works as I don't have any conditions attached to it. But GetObject fails when I add conditions to it.

I have configured the claims to be included in the identity pool (see attached). I don't know if these are being passed down or not.

nickname of the user in the Cognito user pool has "cid-2,cid-1,cid-3".

I am using Python to test it and I keep getting this error: botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the GetObject operation: Access Denied

How do I check if my claims are being passed in my test code? Or is my test code not able to pass claims?

Test code below:

import boto3
from boto3.session import Session


username='aaaaaaaaaaaaa'
password='bbbbbbbbbbbbb'

client = boto3.client('cognito-idp', region_name='us-east-1')
response =  client.initiate_auth(
    AuthFlow='USER_PASSWORD_AUTH',
    AuthParameters={
        "USERNAME": username,
        "PASSWORD": password,
    },
    ClientId='*****************',
)
idtoken = response['AuthenticationResult']['IdToken']

# Get temp creds from identity pool now
client_idpool = boto3.client('cognito-identity', region_name='us-east-1')
identityId = client_idpool.get_id(
    AccountId='*************',
    IdentityPoolId='us-east-1:********************',
    Logins={
        'cognito-idp.us-east-1.amazonaws.com/*************': idtoken
    }
)['IdentityId']
print(identityId)

# After we get identity id we get temp aws creds

client_idpool2 = boto3.client('cognito-identity', region_name='us-east-1')
aws_creds = client_idpool2.get_credentials_for_identity(   
    IdentityId=identityId,
    Logins={
        'cognito-idp.us-east-1.amazonaws.com/us-east-1_*****': idtoken
    }
)['Credentials']

s3_client = boto3.client(
    's3',
    aws_access_key_id=aws_creds['AccessKeyId'],
    aws_secret_access_key=aws_creds['SecretKey'],
    aws_session_token=aws_creds['SessionToken']
)

#print(s3_client.list_objects_v2(Bucket='ddddddddddddddddddddddd'))

s3object = s3_client.get_object(
    Bucket='ddddddddddddddddddddddd',
    Key='cid-1/123.png'
)
print(s3object)

I have at this for 2 days and tried all possible combinations. GetObject should work for "cid-1/123.png".

I keep getting access denied.

I tried using ExistingObjectTag with a constant value. That works but not this does not

"StringLike": { "aws:PrincipalTag/cid": "*${s3:ExistingObjectTag/mytag}*" }