So anyone else who runs into this issue... I am using an API Gateway authorizer to lock down the API Gateway to only accept requests from cloud front (because im using an HttpApi and wanted a WAF as well). Turns out when you do that the APIGatewayHttpApiV2ProxyFunction class overwrites existing authorization. I was able to fix this by overriding the FunctionHandlerAsync and setting the authorizer to null on the incoming request.