I had the same issue.
I wondered if couldfront and s3 had not yet been connected logically to the "origin access identity." This is the identity that cloudfront uses to pull content from S3, verifying signatures with the private key pair you specified.
Sure enough, that was the problem. Disable public access to the underlying S3 bucket, then tell AWS to use the appropriate identity, then try your code again.
Here's how from the Web:
From the CloudFront dashboard (https://console.aws.amazon.com/cloudfront/home), click on "Distribution" on the left to see all your distros. Select the one you want, clicking the [i] icon for more information. From there, click on the [Origins] tab and select the radio button next to your bucket. Click it, and an Edit button will appear. Click Edit. Choose "Restrict Bucket Access" in the new panel that appears. The site will prompt you for which access identity to do. Choose the identity you created. Click "Yes, Edit" to save your changes.
Good luck!