TIL that VPC endpoints cannot connect to public APIGWs
A execute-api VPC endpoint with Private DNS Enabled turned on will intercept all
requests to AWS API Gateways in its VPC. This behaviour can lead to a 403 Forbidden error when attempting to connect to a public AWS API Gateway in the
VPC.
The HTTP 403 Forbidden error occurs when you turn on DNS for an API Gateway interface VPC endpoint that's associated with a VPC. In this case, all requests from the VPC to API Gateway APIs resolve to that interface VPC endpoint. However, you can't use a VPC endpoint to connect to public APIs.
This occurs even for CNAMEs of public API Gateways.