If you have two AWS products (Cognito & AWS ES Service) that aren't working together, I simply do not understand why AWS would be passing you back here. You're paying them money, you should expect more from them than that.
There is more than the possibility - it is a completely different implementation. I could walk you through how Elastic's implementation works, but it wouldn't help you at all because AWS have their own implementation of this.
I understand that this is frustrating for you, but the problem here is that you can't get AWS Cognito to work with AWS ES Service, and from what you're telling us, it seems AWS doesn't care.
We care, but we simply can't help you because we don't know the answers. I have not seen AWS's OAuth code. We didn't write it, we cannot tell you how it works.
If you were running our distribution, or using our cloud service then we would be able to work with you to resolve this, but it's simply impossible for us to support other people's forks of our products when they're running code we haven't seen.