After almost a day of faffing around with AWS amplify and trying to provision Cognito roles and a user pool, I found a bug in the amplify cli which was causing cloudformation to fail to provision an appropriate permission for a cognito role. Or something like that.
Anyway, the AWS team are on the case, but it's too late. I tried Firebase auth while I was waiting and found the Google docs better than the AWS docs, plus the auth platform is totally free.
I'm now also looking into using Google cloud storage as they have a generous free tier and I believe it is backed by a CDN, which is an extra service on AWS.