This is to allow HTTPS Only in the Cloudfront origin protocol policy.
On the custom domains tab on Cloudfront I need to set domain.com and www.domain.com as custom domains.
Then on the server front, I need to issue a SAN certificate with a HTTP challenge for that origin protocol policy to work.
I'm not a security expert, so I have no idea what the technical reasons are behind it. But you can explore the troubleshooting further here: Lightsail CloudFront SSL certificate origin policy issues