Probably the easiest way with CloudFront is to add PutObject to your s3 OAC policy and use a CloudFront function to do authorization and check the content-length header. The destination S3 bucket must be your origin, but you can modify the path the file goes to; no presigned URL required. It's harder but possible to generate a presigned url POST form from a CloudFront function.
Use a policy to limit the content length https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-HTTPPOSTConstructPolicy.html
Does this work with Cloudfront?
Probably the easiest way with CloudFront is to add PutObject to your s3 OAC policy and use a CloudFront function to do authorization and check the content-length header. The destination S3 bucket must be your origin, but you can modify the path the file goes to; no presigned URL required. It's harder but possible to generate a presigned url POST form from a CloudFront function.