@reiver @jonty I think all you have to do to get that to work is make a S3 bucket called "xrpc" and make it publicly readable.
This kind of thing is one of the reasons other domain ownership verification protocols (e.g. ACME) use the /.well-known path prefix 😛