Note that depending on which service one uses, the token needs to be
added either before or after signing.

https://docs.aws.amazon.com/general/latest/gr/sigv4-add-signature-to-request.html

« When you add the X-Amz-Security-Token parameter to the query string, some services require that you include this parameter in the canonical (signed) request. For other services, you add this parameter at the end, after you calculate the signature. For details, see the API reference documentation for that service. »

Since the parameter is added to the headers, not the query string, I think it should always be added before signing.

Maybe there is a mistake in by session_token_signed implementation, but if I use it instead of session_token_unsigned I'm getting a InvalidClientTokenId with cloudformation. And your statement would contradict

Note that depending on which service one uses, the token needs to be
added either before or after signing.

Or am I simply misunderstanding this statement?

Indeed, you forgot to add the X-Amz-Security-Token header.

It seems you only need to add the token after signing when generating a pre-signed URL for an AWS IoT websocket. See aws/aws-sdk-go#2485 (comment).

How does it compare to #95?