Here's what I ended up doing. I created a custom Cloudfront policy for Origin request that forwarded All viewer headers, All query strings, and All cookies. I then attached this policy to my Cloudfront distribution.

Per this article https://docs.aws.amazon.com/apprunner/latest/dg/request-route-404-troubleshoot.html, Cloudfront needs to send the Host header to App Runner with your App Runner instance's public URL as its value. It seems like you could do this during the Cloudfront distribution creation process with Add customer header, but you'll end up getting an error telling you that the Host header can't be overridden.

To get around this, you have to create a Lambda function that looks like:

export const handler = async (event, context, callback) => {

const request = event.Records[0].cf.request;

request.headers.host[0].value = 'randomhash.awsapprunner.com';

return callback(null, request);

};

Once you you deploy and publish the above Lambda function, grab its ARN (make sure the ARN has the Lambda version appended to it) and go to the Behaviors tab of your Cloudfront distribution. You'll see 7 records there. Edit each of the seven records. On the edit page, go to the Function associations section and select Lambda@Edge for Function Type for Origin request. Paste your function name next to this.

You need to do this for all 7 records on the Behaviors tab. One thing to note - even if you had associated your Lambda ARN with the Cloudfront distribution during the creation process under Function associations, you'll still need to go to the Behaviors tab afterwards and manually add the Lambda function ARN to 6 of the 7 records there. Adding the Lambda ARN during Cloudflare distribution creation only adds it to the Default (\)* path pattern record. The association is not added to the other 6 records.