We’ve got a flow that needs to hit a Lambda function to pull some routing config before the call bridges. I’m using a standard External Integration data action in Architect. The request body just sends the interaction ID over POST. When I run it through the flow simulator, it consistently throws a 403 Forbidden. I’m tracing the IAM setup step by step to figure out where the chain breaks. First, the execution role has lambda:InvokeFunction attached. Next, the trust policy I configured looks like this inline: "Condition": { "StringEquals": { "aws:SourceVpc": "vpc-0a1b2c3d4e5f" } }. Then I verify the API Gateway method request and it’s definitely passing the auth header through. The weird part is that curling the exact same endpoint from my local machine works fine. The VPC endpoint routing seems correct, though I’m not entirely sure why the simulator chokes. I’ve been staring at the IAM policy JSON for an hour and I’m probably missing a simple resource ARN mismatch. The debug logs just keep showing the 403.