[TBCM-183] Migrate away from legacy Origin Access identity to Origin Access Control for the App distribution

[kushal-arora-fw]

KMS Keys for CloudFront Distribution doesn't work with the legacy Origin Access Identify. Migrating to the latest Origin Access Control.

Good reads:

1. Signing CloudFront URLs with aws:kms encryption | AWS re:Post (repost.aws)
2. amazon s3 - KMS.UnrecognizedClientException while accessing ksm encrypted s3 bucket - Stack Overflow
3. Amazon CloudFront introduces Origin Access Control (OAC)

-- This PR fixes the below error: