AWS CloudFront access to S3 through OAC returns Access Denied

I have a static website hosted on an S3 bucket. I initially had the bucket fully public and set as a static website hosting while testing cloudfront out and everything worked fine, I accessed the site through my alternate domain perfectly. However I now want to limit the S3 file accessibility and only allow access through cloudfront, but am getting Access Denied after following various tutorials.

So i followed: https://repost.aws/knowledge-center/cloudfront-serve-static-website which also follows a few other tutorials I have read since, and they all say the same thing for the OAC process but I am getting Access Denied when trying to access my website.

So I have my S3 bucket with public access now fully disabled and static website hosting disabled now as well, I made a cloudfront origin access control setting with 'sign requests' and S3 as origin type, and in my cloudfront origins i chose my S3 bucket from the origin domain, selected origin access control and chose my origin access i just created from the list, i left enable origin shield disabled, copied the S3 policy it creates and selected save changes. I then go to my S3 bucket that i selected from that origin and paste it into the policy field. so it looks like this (replaced my account info with dummy data but in the actual policy i have confirmed its correct):

{
    "Version": "2008-10-17",
    "Id": "PolicyForCloudFrontPrivateContent",
    "Statement": [
        {
            "Sid": "AllowCloudFrontServicePrincipal",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudfront.amazonaws.com"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::examplebucketid/*",
            "Condition": {
                "StringEquals": {
                    "AWS:SourceArn": "arn:aws:cloudfront::11736596049:distribution/E1OS67E245W70W"
                }
            }
        }
    ]
}

If I go to my cloudfront origins tab i can see that the origin domain is my S3 bucket and the origin access is the id of the access control i just setup.

On S3 I have Object Ownership - Bucket owner enforced, static website hosting is disabled, and i do have CORS set-up but I have tried without them as well. Just for reference though they're currently:

[
    {
        "AllowedHeaders": [
            "*"
        ],
        "AllowedMethods": [
            "GET",
            "HEAD"
        ],
        "AllowedOrigins": [
            "*"
        ],
        "ExposeHeaders": [],
        "MaxAgeSeconds": 3000
    }
]

Its default behaviour has the S3 bucket chosen as origin, and redirects HTTP to HTTPS. The distributions default root object is also /index.html which is properly uploaded to the S3 bucket, and was working before setting S3 to private.

I have looked around and followed tutorials, and have even tried from fresh S3 and cloudfront distribution instances but I get the same result of access denied. I also tried using OAI instead and letting CloudFront update my S3 policy itself but was still getting Access Denied. I do wait for any cloudfront changes to be fully deployed before testing as well but same result.

Anything stick out that I need to change or can check? I've been looking for a few hours and every tutorial or other post I have seen is from an old version of the AWS interface where the options aren't the same, or simply shows what I followed except theirs worked.

Previously I had default root object as /index.html so I assumed that would remain the same because it worked when S3 was setup as static website host, but changing that to just index.html solved the issue. I guess the permission set-up was correct, just default root object wasn't set properly.