Invalid Redirect URI for Server Based Authentication when deploying to cloudfront (localhost works fine).

We've been working on a custom feature editor that uses server based user logins to integrate AWS services with AGOL login. This has been working fine on localhost, the user is sent to the right URL and we can get a token back. Flow is:

1. Send user to URL (below)

2. Get code back

3. Exchange for a token via a lambda, that also registers a Cognito identity token for AWS credentials

4. Send back to client and register with IdentityManager.

Launching it to AWS cloudfront, however, I get an "invalid redirect_uri" error - example: https://cityofmelbourne.maps.arcgis.com/sharing/rest/oauth2/authorize?client_id=0KBzlPo2662D42j5&exp...

I've added the cloudfront URL to the whitelisted redirect URIs (both https and http). Neither work:

Am I missing something?

As a side note, passing an expiration to the above URL (/rest/oauth2/authorize) does nothing, and my token expires within 30 minutes. Am I doing something wrong there?