CloudFront OAI ARN incorrectly fails I3042:accountId check

[Slooz]

CloudFormation Lint Version

1.18.4

What operating system are you using?

Mac, Ubuntu

Describe the bug

cfn-lint expects the :cloudfront: segment of the CloudFront OAI ARN to not be a hardcoded account ID, when the :cloudfront: segment should be hardcoded to cloudfront.

$ cfn-lint --format pretty --regions us-east-2 --include-checks I --configure-rule E3012:strict=True I3042:region=True I3042:accountId=True -- template.yaml
template.yaml
12:15:              I3042     ARN in Resource Resource contains hardcoded AccountId in ARN or incorrectly placed Pseudo Parameters

Related to #3683, #3716

Expected behavior

CloudFront OAI ARN doesn't fail I3042:accountId check

Reproduction template

AWSTemplateFormatVersion: 2010-09-09
Resources:
  Resource:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: bucket
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              AWS: !Sub arn:${AWS::Partition}:iam::cloudfront:user/CloudFront Origin Access Identity E15MNIMTCFKK4C
            Action: s3:GetObject
            Resource: arn:aws:s3:::bucket/*