Updated - The OAM service now uses the "aws:PrincipalOrgPaths" to determine which accounts are allowed to create the link. So in the monitoring account you need to be sure that you've provided all the exact AWS Organization paths for the desired member accounts. You can view the policy in the OAM configuration of the monitoring account.