UnityWebRequest and/or HttpWebRequest give 403 on Android with PUT

I am trying to post an image captured through my game to Facebook through their SDK, and as it requires a URI, I wrote a simple AWS Lambda function to take a byte array and upload it to an AWS bucket. The AWS function takes a call and then returns a URL to call PUT to with the image data... So the idea is, if the response is 200, use that URL to post to FB.

But - using Unity 5.2.x to 5.3.4, and Android 4.4 - 6.1 - it always gives me a 403 response, while working fine on iOS.

So, I have a method that takes a byte[] then does this:

    WWW w = new WWW("https://my-amazon-function-to-call");
    yield return w;
    if (!string.IsNullOrEmpty(w.error)) {
        Debug.LogError(w.error);
    }
    else 
    {
             var dict = Json.Deserialize(w.text) as Dictionary<string,object>;
             string oneTimeUploadUrl = (string)dict["oneTimeUploadUrl"]; // Private URL
             string resultUrl = (string)dict["resultUrl"]; // Public URL

            UnityWebRequest aws = UnityWebRequest.Put(oneTimeUploadUrl, bytes);
            yield return aws.Send();
            if(aws.isError) 
            {
                Debug.LogError("AWS ERROR: " + aws.error);
            }
            if(aws.responseCode == 200)
            {
                FeedShare(new Uri(resultUrl), _cachedMessage);    // FB call
            }
    }

Pretty simple, right? On iOS, yes it is. But Android it continually gives me a 403 response on the PUT operation.

So, I've taken to wrapping this in an iOS-specific #ifdef and trying something more natively C-Sharp-ish for Android... Eg.:

    WWW w = new WWW("https://my-amazon-function-to-call"); // tried pure old Http too
    yield return w;
    if (!string.IsNullOrEmpty(w.error)) {
        Debug.LogError(w.error);
    }
    else {
        var dict = Json.Deserialize(w.text) as Dictionary<string,object>;
        string oneTimeUploadUrl = (string)dict["oneTimeUploadUrl"];
        string resultUrl = (string)dict["resultUrl"];

    #if UNITY_IPHONE
        UnityWebRequest aws = UnityWebRequest.Put(oneTimeUploadUrl, bytes);
        yield return aws.Send();
        if(aws.isError) 
        {
            Debug.LogError("AWS ERROR: " + aws.error);
        }
        if(aws.responseCode == 200)
        {
            FeedShare(new Uri(resultUrl), _cachedMessage);    
        }
    #else             

    // Various Security Callback Tests
        //ServicePointManager.ServerCertificateValidationCallback = (p1, p2, p3, p4) => true;
        //ServicePointManager.ServerCertificateValidationCallback = MyRemoteCertificateValidationCallback;
        ServicePointManager.ServerCertificateValidationCallback = new System.Net.Security.RemoteCertificateValidationCallback(AcceptAllCertifications);


        HttpWebRequest wreq = (HttpWebRequest)WebRequest.Create(oneTimeUploadUrl);
        //wreq.AuthenticationLevel = System.Net.Security.AuthenticationLevel.None;
        //wreq.PreAuthenticate = false;
        wreq.Method = "PUT";
        wreq.ContentType = "image/png";
        wreq.ContentLength = bytes.Length;

        Stream newStream = wreq.GetRequestStream();
        newStream.Write(bytes, 0, bytes.Length);
        newStream.Close();

        HttpWebResponse response = (HttpWebResponse)wreq.GetResponse();
        if((int)response.StatusCode == 200)
        {
            FeedShare(new Uri(resultUrl), _cachedMessage);
        }
     #endif
    }

... but that also gives me a 403. I've tried a few different options, as you can see from the commented-out code, but no love. For the record, here are the SSL Policy functions that are used as the ServerCertificateValidationCallbacks:

public bool AcceptAllCertifications(object sender, System.Security.Cryptography.X509Certificates.X509Certificate certification, System.Security.Cryptography.X509Certificates.X509Chain chain, System.Net.Security.SslPolicyErrors sslPolicyErrors)
{
    return true;
}

public bool MyRemoteCertificateValidationCallback(System.Object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) {
    bool isOk = true;
    if (sslPolicyErrors != SslPolicyErrors.None) {
        for (int i=0; i<chain.ChainStatus.Length; i++) {
            if (chain.ChainStatus [i].Status != X509ChainStatusFlags.RevocationStatusUnknown) {
                chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain;
                chain.ChainPolicy.RevocationMode = X509RevocationMode.Online;
                chain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan (0, 1, 0);
                chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllFlags;
                bool chainIsValid = chain.Build ((X509Certificate2)certificate);
                if (!chainIsValid) {
                    isOk = false;
                }
            }
        }
    }
    print("MyRemoteCertificateValidationCallback: " + isOk);
    return isOk;
}

This is the actual StackTrace:

04-01 11:14:57.325: I/Unity(22979):  
04-01 11:14:57.325: I/Unity(22979): (Filename: ./artifacts/generated/common/runtime/UnityEngineDebugBindings.gen.cpp Line: 37)
04-01 11:14:57.825: I/Unity(22979): WebException: The remote server returned an error: (403) Forbidden.
04-01 11:14:57.825: I/Unity(22979):   at System.Net.HttpWebRequest.CheckFinalStatus (System.Net.WebAsyncResult result) [0x00000] in <filename unknown>:0 
04-01 11:14:57.825: I/Unity(22979):   at System.Net.HttpWebRequest.SetResponseData (System.Net.WebConnectionData data) [0x00000] in <filename unknown>:0 
04-01 11:14:57.825: I/Unity(22979):  
04-01 11:14:57.825: I/Unity(22979): (Filename:  Line: -1)

At this point, I'm totally stuck... my only thought is to maybe write a native plugin... but would love to NOT have to do that...

Thoughts ???