How to configure HSTS redirect prerequisites using CloudFront?

The HSTS Preload List Submission website has very specific prerequisites which disallow combining protocol changes and redirects into one step (classic example - redirecting requests for http://example.com directly to https://www.example.com fails their test - a protocol upgrade to HTTPS must occur first, then the 'www' subdomain may be added in a discrete step). Is it possible to meet these rules for sites hosted on Amazon CloudFront?

A related question is here, about sending the necessary headers, but I already have that part tested and working. My issue is the redirect, for a site that uses a www subdomain.

I have CloudFront configured to 'Redirect HTTP to HTTPS' under the default behavior and that works perfectly for all HTTP requests, however requests to https://example.com first redirect to the downgraded protocol http://www.example.com before being upgraded to HTTPS, and this is where I am stuck. I need to handle HTTP and HTTPS requests for the second-level domain differently.

For clarity, here is the redirect pattern I want to achieve:

http://example.com > https://example.com > https://www.example.com
http://www.example.com > https://www.example.com
https://example.com > https://www.example.com
https://www.example.com

And here is what CloudFront is doing now, with the third line (protocol downgrade) resulting in HSTS Preload submission failure:

http://example.com > https://example.com > https://www.example.com
http://www.example.com > https://www.example.com
https://example.com > http://www.example.com > https://www.example.com
https://www.example.com