CSRs generated from CloudHSM EC key fail verification
The OpenSSL engine for CloudHSM doesn't support ECC keys.
This is stated implicitly by https://docs.aws.amazon.com/cloudhsm/latest/userguide/openssl-library.html (it's not in the list).
What confused me is that https://docs.aws.amazon.com/cloudhsm/latest/userguide/ki-openssl-sdk.html#ki-openssl-4 implies that it is supported.
It's not. Use one of the other client libraries (JCE, PKCS#11, KSP or CNG).
(I confirmed this with AWS support)