So after two days of failing to resolve and amending policies left right and centre I’ve identified the issue was down to the use of the URI recommended in the duplicity restore statement here:
sudo -E duplicity restore --force s3://s3.amazonaws.com/your-bucket-name/your-backup-path /home/user-data/
It was only by accident by reviewing the properties for the ‘Object’ in the AWS console i.e. /your-bucket-name/your-backup-path that I noticed the URI was showing as s3://your-bucket-name/your-backup-path not the full s3://s3.region.amazonaws.com/…
So using the Uri specified for the object:
sudo -E duplicity restore --force s3://your-bucket-name/your-backup-path /home/user-data/
It worked straight away.
So in conclusion the 403 wasn’t permissions related it was that the object was inaccessible as the URI was malformed for my bucket.
Leaving my learning here in case it helps anyone else from tearing their hair out