I think your best option might be to use ECR Policy to allow cross account access. ECR repos are not shared by default, you have to grant access.
ECR isn't in your VPC, and from memory I don't think AWS publish the ECR IP range, so I think in your case you'll need to let your instance have https access to 0.0.0.0/0. If you want to restrict that you may have to use a proxy like squid which is domain aware, in a similar way to how you'd use a NAT gateway / instance.
We asked AWS Support about VPC Endpoints for cross account ECR recently. What they told us is VPC Endpoints are use for within the account, not for cross account. I haven't tested that, but that's what I recall they told us, but it's worth testing to be sure. So I think access cross region and cross account will have to be over the internet, and the only way to restrict access to ECR is using the policy I linked to above.
This policy from the page above allows cross account access
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowCrossAccountPush",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::account-id:root"
},
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchCheckLayerAvailability",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload"
]
}
]
}