AWS anonymous is not authorized to perform: execute-api:Invoke on resource. Private API Gateway

Question

I have a REST API Lambda function deployed to a private subnet, where the API Gateway type is private. Following this I have set up a vpc endpoint to private API gateway to the two public subnets of the same vpc as the lambda functions private subnet. The corresponding security group of the vpce allows all traffic.

If I try to query the API endpoint from an EC2 instance in the public subnet, I get the following error:

 anonymous is not authorized to perform: execute-api:Invoke on the resource.

I cannot find the issue, as the resource policy of the private API gateway looks as follows:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:eu-central-1:xxxxxxx:xxxxxx/*",
            "Condition": {
                "StringEquals": {
                    "aws:sourceVpce": "vpce-xxxxxxxx"
                }
            }
        }
    ]
}

What am I missing?

Answer 1

actually, what @peterhack said was the answer for me as well. Used the provided template "VPC Whitelist" with all placeholders was the problem:

...xxx:/{{stageNameOrWildcard}}/{{httpVerbOrWildcard}}/{{resourcePathOrWildcard}}

replacing with ...xxx:*/* fixed it