I faced a similar issue while trying to assume an IAM Role from inside a EKS pod which uses the new pod identity.

I was getting the below error.

An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::*****:assumed-role/***** is not authorized to perform: sts:TagSession on resource: arn:aws:iam::*****:role/*****

The problem was with the external-id condition in the trust relationships of the role to be assumed. Once I removed that condition it worked fine.