I have found the problem and fixed it. As I stated before, the only difference between dev and prod environments was Cloudfront. So I needed to configure Cloudfront to differentiate calls with differents cookies and URLs. Grant needs cookies to initiate the connection with Strapi, while Strapi makes calls with queries in URLs.
More docs on that here: Caching content based on cookies - Amazon CloudFront
and here: Caching content based on query string parameters - Amazon CloudFront
Once I set up the Cloudfront policy (Cache key settings) to allow cookies and query strings, everything worked finally fine! I hope this can help some people overlooking that.