After some more research, I can answer my own question. I will share it just in case anybody else is trying to use AWS CloudHSM.
By default, Boulder uses SoftHSM, which seems to expect a 4-digit string for the pin.
With CloudHSM, the trick is that the pin parameter needs to be a string of the form "USER:PASSWORD".
The USER and PASSWORD need to be created manually using this AWS tool: /opt/cloudhsm/bin/cloudhsm_mgmt_util
After that, simply updating the pin in the config file is enough for the Boulder code to “login” to the CloudHSM successfully.