Session Manager unable to connect to instance in public subnet

I can't seem to get an instance in a public subnet to connect via session manager. The subnet that the instance ends up deploying to has 0.0.0.0/0 set to an internet gateway. The security group has no inbound rules and an outbound rule of Allow 0.0.0.0/0. The instance profile has the AmazonSSMManagedInstanceCore managed policy, the instance is on a public subnet with an internet gateway and a security group that allows all outbound requests, and it’s running AmazonLinux 2, so the SSM agent should be installed. I even added a userData command to install the latest again, but that didn’t change anything.

From the console, I see the following error message:

We weren't able to connect to your instance. Common reasons for this include:

• SSM Agent isn't installed on the instance. You can install the agent on both Windows instances and Linux instances.
• The required IAM instance profile isn't attached to the instance. You can attach a profile using AWS Systems Manager Quick Setup.
• Session Manager setup is incomplete. For more information, see Session Manager Prerequisites.

Here's a sample of CDK code that replicates the problem:

const region = 'us-east-2'

const myInstanceRole = new Role(this, 'MyRole', {
  assumedBy: new ServicePrincipal('ec2.amazonaws.com'),
})
myInstanceRole.addManagedPolicy(
  ManagedPolicy.fromAwsManagedPolicyName('AmazonSSMManagedInstanceCore')
)

const myUserData = UserData.forLinux()
myUserData.addCommands(
  `sudo yum install -y https://s3.${region}.amazonaws.com/amazon-ssm-${region}/latest/linux_amd64/amazon-ssm-agent.rpm`,
  'sudo systemctl restart amazon-ssm-agent',
)

const myInstance = new Instance(this, 'MyInstance', {
  instanceType: InstanceType.of(InstanceClass.C6I, InstanceSize.LARGE),
  machineImage: MachineImage.latestAmazonLinux({
    generation: AmazonLinuxGeneration.AMAZON_LINUX_2,
    cpuType: AmazonLinuxCpuType.X86_64,
  }),
  vpc: Vpc.fromLookup(this, 'ControlTowerVPC', {
    vpcName: 'aws-controltower-VPC',
  }),
  vpcSubnets: {
    subnetType: SubnetType.PUBLIC,
  },
  blockDevices: [
    {
      deviceName: '/dev/xvda',
      volume: BlockDeviceVolume.ebs(30, {
        volumeType: EbsDeviceVolumeType.GP2,
        encrypted: true,
      }),
    },
  ],
  userData: myUserData,
  role: myInstanceRole,
  detailedMonitoring: true,
})