Redirect buckets should only allow traffic from redirect CDN

[Rabadash8820]

There's no reason for clients to be sending requests to our S3 "redirect bucket" directly. They should always be going through the CloudFront Distribution, to ensure HTTPS and IPv6 are usable. See Restricting access to Amazon S3 content by using an origin access identity (OAI) for instructions.

[Rabadash8820]

So actually, the OAI approach doesn't work for S3 buckets configured for static website hosting; instead, we need to restrict access to a custom origin. This involves setting a header in the origin request with a secret value, and having the S3 bucket deny reads unless they have that header. Simple enough, but we'll also want to rotate that secret header value, which will unfortunately require a custom Lambda Function to regenerate the secret and update the bucket policy... That'll involve CDK assets, which I don't really understand yet... Alternatively, the aws-cloudfront-s3 Solutions Construct could do this for us (and simplify our entire CDK app!)