Simplest way to restrict access to Cloudfront(S3) files from some users but not others

Simplest way to restrict access to Cloudfront(S3) files from some users
but not others

I'm just getting started with permissions on AWS S3 and Cloudfront so
please take it easy on me.
Two main questions:
I'd like to allow access to some users (e.g., those that are logged in)
but not others. I assume I need to be using ACLs instead of a bucket
policy since the former is more customizable in that you can identify the
user in the URL with query parameters. First of all is this correct? Can
someone point me to the plainest english description of how to do this on
a file/user-by-file/user basis? The documentation on ACL confuses the heck
out of me.
I'd also like to restrict access such that people can only view content on
my-site.com and not your-site.com. Unfortunately the S3 documentation
example bucket policy for this has no effect on access for my demo bucket
(see code below, slightly adapted from AWS docs). Moreover, if I need to
foremost be focusing on allowing user-by-user access, do I even want to be
defining a bucket policy?
I realize i'm not even touching on how to make this work in the context of
Cloudfront (the ultimate goal) but any thoughts on questions 1 and 2 would
be greatly appreciated and mentioning Cloudfront would be a bonus at this
point.
`
{
"Version": "2008-10-17",
"Id":"http referer policy example",
"Statement": [
{
"Sid": "AllowPublicRead",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*",
"Condition": {
"StringLike": {
"aws:Referer": [
"https://mysite.com/*",
"https://www.mysite.com/*"
]
}
}
}
]
}