I believe this indicates that your custom domains were previously configured as regional APIs, but when you reconfigured the custom domains, you configured them as edge optimized.
CloudFront provides the edge-optimized feature on behalf of API Gateway, at no charge, and the CloudFront distribution that's automatically attached to an API Gateway endpoint isn't visible to you in the console. With a regional deployment, the response you're seeing wouldn't even be possible, because those don't involve CloudFront.
I assume you had to update DNS as part of the remedy to the previous issue. If you still have a record of the old alias targets from before the change, that might provide some confirmation.
An regional API has a target domain name that looks like d-example.execute-api.${region}.amazonaws.com while an edge optimized API has a target domain name with dexample.cloudfront.net. These are the values you would have configured in DNS.
As luck would have it, I have a test API that's deployed to two different custom domains, one regional and the other edge optimized, and I can confirm this explanation with the following. These two examples are for exactly the same API, same stage, same everything, except that there are two different custom domains, one is regional and the other is edge-optimized.
regional deployment
$ curl -X PROPFIND -v https://regional.example.com
< HTTP/1.1 405 Method Not Allowed
< Date: Sat, 28 Sep 2019 00:05:11 GMT
< Content-Type: null
< Content-Length: 23
< Connection: keep-alive
< x-amzn-RequestId: c03bcb0f-0a79-488a-a658-0123456789ab
< x-amz-apigw-id: Base64Stuff=
Unsupported HTTP method
edge optimized
$ curl -X PROPFIND -v https://edge-optimized.example.com
< HTTP/1.1 403 Forbidden
< Server: CloudFront
< Date: Sat, 28 Sep 2019 00:05:19 GMT
< Content-Type: text/html
< Content-Length: 694
< Connection: keep-alive
< X-Cache: Error from cloudfront
< Via: 1.1 example.cloudfront.net (CloudFront)
< X-Amz-Cf-Pop: IAD79-C2
< X-Amz-Cf-Id: BlahBlahBase64==
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<TITLE>ERROR: The request could not be satisfied</TITLE>
</HEAD><BODY>
<H1>403 ERROR</H1>
<H2>The request could not be satisfied.</H2>
<HR noshade size="1px">
This distribution is not configured to allow the HTTP request method that was used for this request. The distribution supports only cachable requests.
<BR clear="all">
<HR noshade size="1px">
<PRE>
Generated by cloudfront (CloudFront)
Request ID: BlahBlahBase64==
</PRE>
<ADDRESS>
</ADDRESS>
</BODY></HTML>
I originally thought it might be possible (however unlikely) that API Gateway might have changed the way it deploys those hidden CloudFront distributions for edge-optimized deployments, so your new setup might have been the same as the old, from your perspective, but with different behavior internally. I now believe this to be unlikely, because these test APIs were last deployed quite some time back.
Side note: I'm a big fan of CloudFront, overall, but this behavior seems inappropriate, fundamentally incorrect, and perhaps it would even be fair to say embarrassingly inept. There are two problems with it.
First, it isn't accurate.
This distribution is not configured to allow the HTTP request method that was used for this request. The distribution supports only cachable requests.
The first part is close enough, but that second sentence is complete nonsense, and unhelpful.
The first problem is that this error message was almost certainly designed, originally, for an entirely different purpose. CloudFront can be configured to allow request methods from one of three selectable sets:
GET, HEADGET, HEAD, OPTIONSGET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE
This error is supposed to be shown if you send PUT, POST, PATCH, or DELETE to a cache behavior configured to support only GET, HEAD, and possibly OPTIONS -- in other words, "only cachable requests" -- and that isn't the case, here.
This message is being used inappropriately to respond to methods outside this set, methods which aren't usable with API Gateway.
The second problem is that this, of course, should be 405 Method Not Allowed, and not 403 Forbidden.
