Your custom policy looks like an S3/IAM policy statement. That's not the kind of policy document that is used for CloudFront signed URLs. CloudFront has an entirely different policy language.
Custom policies in CloudFront -- technically speaking -- allow access to CloudFront, not the resources behind it. CloudFront signed URLs, and the logic that handles them, have no awareness of the entities or configuration on the back side, such as bucket names, keys, principals, origin access identities, etc... they only serve to specify that CloudFront is permitted to service requests for a specific URL or URL pattern, and nothing more. They operate strictly on the "front-side" of CloudFront, and there is no awareness at this layer of what's going on behind the scenes. If your CloudFront distribution is authorized to perform the request on the underlying resource, either because of unrestricted bucket access or because of permissions granted to the origin access identity, the operation succeeds. Otherwise, it will fail.
Review Creating a Policy Statement for a Signed URL That Uses a Custom Policy for the correct format for these policies.
Fundamentally, if you are wanting to use CloudFront signed URLs other operations against a bucket rather than
GET, then you're most likely trying to use CloudFront signed URLs in a manner inconsistent with their design.
Operations other than
OPTIONS "can" be sent to S3 through CloudFront but there is only one reason to do this -- to ride the high-quality paths from the Edge network to the origin S3 location. Doing
PUT through CloudFront doesn't actually store anything in CloudFront -- it just passes the request through to the bucket, and has no impact on what may already be cached in CloudFront.
You can accomplish the same purpose -- improving global network performance and throughput on non-
GET operations -- by using S3 Transfer Acceleration which exposes your bucket at
https://example-bucket.s3-accelerate.amazonaws.com when you enable the feature. I'm making a bit of an oversimplification, but effectively, this puts your bucket behind a generic CloudFront distribution that does not cache, allowing you to ride the Edge network for faster transfers, but still use standard S3 signatures and policies to accomplish what you need for all other S3 operations.
Or, just send the other requests directly to the bucket.