There's a bit more detail here: Lightsail CloudFront SSL certificate origin policy issues
This is the troubleshooting process we went through when we first encountered the issue.
Lightsail doesn't offer any customisability with the Cloudfront distribution and the only way to offer a HTTPS origin policy is by specifying the Cloudfront domain in the SAN. Otherwise it just throws the error messages in the link above.
I think @_az helped solved that the first time around too.