CloudFormation claims KMS policy statement principals are invalid

I have the following SAM template:

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
  test lambda
Globals:
  Function:
    Timeout: 3
    Tracing: Active
  Api:
    TracingEnabled: True

Resources:
  NotesFunction:
    Type: AWS::Serverless::Function
    Properties:
      PackageType: Zip
      CodeUri: notes/
      Handler: app.lambdaHandler
      Runtime: nodejs18.x
      Policies:
      - AmazonDynamoDBFullAccess
      Architectures:
        - x86_64
      Events:
        FetchNotes:
          Type: Api
          Properties:
            Path: /notes
            Method: get
        GiveNotes:
          Type: Api
          Properties:
            Path: /notes
            Method: post
        Users:
          Type: Api
          Properties:
            Path: /notes/users
            Method: get
    Metadata:
      BuildMethod: esbuild
      BuildProperties:
        Minify: true
        Target: "es2020"
        Sourcemap: true
        EntryPoints:
        - app.ts

  KmsKey:
    Type: AWS::KMS::Key
    Properties:
      Description: CMK for encrypting and decrypting
      KeyPolicy:
        Version: '2012-10-17'
        Id: key-default-1
        Statement:
        - Sid: Enable IAM User Permissions
          Effect: Allow
          Principal:
            AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
          Action: kms:*
          Resource: '*'
        - Sid: Allow administration of the key
          Effect: Allow
          Principal:
            AWS: arn:aws:iam::<MY_ACCOUNT>:role/aws-service-role/cks.kms.amazonaws.com/KMSKeyAdminRole
          Action:
          - kms:Create*
          - kms:Describe*
          - kms:Enable*
          - kms:List*
          - kms:Put*
          - kms:Update*
          - kms:Revoke*
          - kms:Disable*
          - kms:Get*
          - kms:Delete*
          - kms:ScheduleKeyDeletion
          - kms:CancelKeyDeletion
          Resource: '*'
        - Sid: Allow use of the key
          Effect: Allow
          Principal:
            AWS: !Ref NotesFunctionRole
          Action:
          - kms:DescribeKey
          - kms:Encrypt
          - kms:Decrypt
          - kms:ReEncrypt*
          - kms:GenerateDataKey
          - kms:GenerateDataKeyWithoutPlaintext
          Resource: '*'

  NotesDynamoDB:
    Type: AWS::DynamoDB::Table
    Properties:
      TableName: experimental-notes
      AttributeDefinitions:
        - AttributeName: id
          AttributeType: S
      KeySchema:
        - AttributeName: id
          KeyType: HASH
      ProvisionedThroughput:
        ReadCapacityUnits: 5
        WriteCapacityUnits: 5
      StreamSpecification:
        StreamViewType: NEW_IMAGE

Outputs:
  NotesApi:
    Description: "API Gateway endpoint URL for dev stage for Notes function"
    Value: !Sub "https://${ServerlessRestApi}.execute-api.${AWS::Region}.amazonaws.com/dev/notes/"
  NotesFunction:
    Description: "Notes Lambda Function ARN"
    Value: !GetAtt NotesFunction.Arn
  NotesFunctionIamRole:
    Description: "Implicit IAM Role created for Notes function"
    Value: !GetAtt NotesFunctionRole.Arn
  NotesDynamoDB:
    Description: "DynamoDB table backing the Lambda"
    Value: !GetAtt NotesDynamoDB.Arn

When I build + deploy this template I get the following CloudFormation errors:

Resource handler returned message: "Policy contains a statement with one or more invalid principals....

Obviously I have redacted my actual account ID and replaced it with <MY_ACCOUNT> (!).

But it doesn’t say what’s "invalid" about which principals. The idea is that the 2nd policy statement gets applied/hardcoded to an existing role (KMSKeyAdminRole). And that the 3rd Statement gets applied to the role of the NotesFunction Lambda created up above.

Can anyone spot where I’m going awry?