(aws-cloudfront): Using Distribution construct OAI is not associated from S3Origin

What is the problem?

Trying to implement a Cloudfront distribution to access a private website bucket. Using Distribution construct with S3Origin is not associating the distribution with the OAI. This makes impossible to access the private bucket.

Reproduction Steps

Using this code:

       const bucket = new S3.Bucket(this, `${PREFIX}${props.stage}LandingPageBucket`, {
            bucketName: `${PREFIX}-${props.stage}-${LANDING_PAGE_BUCKET_NAME_SUFFIX}`.toLowerCase(),
            websiteIndexDocument: "index.html",
            websiteErrorDocument: '404.html',
            autoDeleteObjects: true,
            publicReadAccess: false,
            blockPublicAccess: S3.BlockPublicAccess.BLOCK_ALL,
            removalPolicy: cdk.RemovalPolicy.DESTROY,
            enforceSSL: true,
        });

        const cloudfrontOAI = new cf.OriginAccessIdentity(this, `${PREFIX}LandingPageCloudfrontOAI`, {
            comment: `Cloudfront OAI for the landing page`
        });

        bucket.grantRead(cloudfrontOAI);

        // Value exported from Global Stack. Ideally HostedZone.fromLookup() method should be used instead but
        // cannot be used until this bug is solved: https://github.com/aws/aws-cdk/issues/4651
        const rootHostedZoneId = cdk.Fn.importValue('RootHostedZoneId');

        const rootHostedZone = r53.HostedZone.fromHostedZoneAttributes(this, `${PREFIX}RootHostedZone`, {
            hostedZoneId: rootHostedZoneId,
            zoneName: SITE_DOMAIN
        });

        const certificate = new acm.Certificate(this, `${PREFIX}LandingPageAcmCertificate`, {
            domainName: SITE_DOMAIN,
            subjectAlternativeNames: [`www.${SITE_DOMAIN}`],
            validation: acm.CertificateValidation.fromDns(rootHostedZone)
        });
        
        const distribution = new cf.Distribution(this, `${PREFIX}${props.stage}LandingPageDistribution`, {
            defaultBehavior: {
                origin: new origins.S3Origin(bucket, {
                    originAccessIdentity: cloudfrontOAI
                }),
                viewerProtocolPolicy: cf.ViewerProtocolPolicy.REDIRECT_TO_HTTPS
            },
            domainNames: [SITE_DOMAIN, `www.${SITE_DOMAIN}`],
            certificate: certificate,
            enableLogging: false,
            comment: "Distribution for Vicinia's Landing page",
        });

The distribution and the rest of the resources are created just fine, but the OAI is not associated to the Distribution provoking 403 forbidden errors.

Using exactly the same code as above but replacing the Distribution construct by CloudFrontWebDistribution works just as expected:

        const distribution = new cf.CloudFrontWebDistribution(this, 'Distribution', {
            originConfigs: [{
                behaviors: [{
                    isDefaultBehavior: true,
                    compress: true,
                    viewerProtocolPolicy: ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
                }],
                s3OriginSource: {
                    s3BucketSource: bucket,
                    originAccessIdentity: cloudfrontOAI,
                },
            }],
            viewerCertificate: cf.ViewerCertificate.fromAcmCertificate(
                certificate,
                {
                    aliases: [SITE_DOMAIN, `www.${SITE_DOMAIN}`],
                    securityPolicy: cf.SecurityPolicyProtocol.TLS_V1_2_2021,
                    sslMethod: cf.SSLMethod.SNI,
                },
            ),
            comment: "Distribution for Vicinia's Landing page",
        });

What did you expect to happen?

Distribution is created with the OAI associated.

What actually happened?

Distribution is created with no OAI associated.

CDK CLI Version

1.128

Framework Version

No response

Node.js Version

v14.18.0

OS

Windows 10

Language

Typescript

Language Version

3.9.10

Other information

No response