The main issue seems to be that you're using the wrong principal.

The correct principal depends on your region, but will either be "logdelivery.elasticloadbalancing.amazonaws.com" or "arn:aws:iam::<elb-account-id>:root" (where <elb-account-id> will also depend on your specific region). Everything you need to know is here.

Also note that you only need to allow s3:PutObject, so you don't need the bucket level ARN, and your object ARN can be scoped down a bit (e.g. arn:aws:s3:::amzn-s3-demo-logging-bucket/<optional-logging-prefix>/AWSLogs/<your-account-id>/*).

One last thing to check is that your bucket uses SSE-S3 (AWS S3-managed keys).