S3 / Cloudfront / Load balancer Architecture explanation needed

My architecture is like so: I have a static website xyz.com hosted on s3 and served with cloudfront. The website is accessing an api that seats behind a load balancer. I want to make sure that only requests from my website xyz.com are allowed thorough my load balancer to my api. I thought that the flow is user -> cloudfront -> load balancer - so I added a rule on my load balancer's security group to only allow http access if it comes from cloudfront via prefix list for Amazon CloudFront.

This prevents my website from accessing the load balancer. So, I guess I was wrong, and the flow is that the user (browser) sends the request to the api and not cloudfront (So cloudfront is only sharing the website's assets for rendering)? Am I correct? If so, is there a way to make sure that only requests from my website go through?

From what you've said CloudFront is in front of S3, rather than in front of your API. You can put CloudFront in front of your API if you want to, but you have to choose to do that. From memory, that's done in the API Gateway console / API.

It sounds to me like the user accesses S3 via Cloudfront which returns a web page. The web page then accesses the API for additional information. One solution is to authenticate user access to the API (AWS docs link) such as using AWS Cognito or a lambda authorizer.

If you don't want users to log in you're going to have to do some research about application authentication vs user authentication, or hope someone else gives an answers that helps.