The Viewer Response event doesn't get triggered on > 4xx response codes. And WAF will return the default block response to the client if neither WAF nor the protected resource (CloudFront in this case) is configured with a custom response. So I don't this is going to work as you're expecting.

Your best bet - if you need it to be dynamic - is probably to configure CloudFront with a custom reponse for a 403 status code, create a behaviour (with caching disabled) for that path then connect your function to the Origin Request event for that behaviour. And you'll need to tweak the function to always return the dynamic 403 response because it won't have an origin response to work with.