Cannot assume role as 3rd party user

Question

I want to grant push access to a specific S3 bucket to a user from another AWS account. The role I'm using works well when assumed as a user from my own account, but I get the following error when I try to access it as a user from another account:

User: arn:aws:iam::1231231231:user/data-upload-user/frank-DataUploadUser-WKWGL8C9VUBK is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::3333333333:role/PicSureDataUploadRole

I've scrambled the account IDs just in case. Everything else is as it is in AWS. Here is an excerpt CFT that shows the role I want to assume and the trust policy:

Resources:
#-------------------------------------------------------------------------------
#                                Roles & Policies
#-------------------------------------------------------------------------------
  DataUploadPolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      Roles:
        - !Ref DataUploader
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Action:
              - s3:PutObject*
              - s3:DeleteObject*
            Resource:
              - 'arn:aws:s3:::pic-sure-data-sharing-bucketprototype/*'
  DataUploader:
    Type: AWS::IAM::Role
    Properties:
      RoleName: DataUploadRole
      Path: '/'
      # unit seconds. 12 hours
      MaxSessionDuration: 43200
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: 'Allow'
            Principal:
              AWS:
              - 'arn:aws:iam::1231231231:user/data-upload-user/frank-DataUploadUser-WKWGL8C9VUBK'
              - !Sub 'arn:aws:iam::${ServiceWorkbenchAccount}:user/data-upload-user/${DataUploadUser}'
            Action:
              - 'sts:AssumeRole'
            Condition:
              StringEquals:
                sts:ExternalId: !Ref ExternalId
      Policies: []

Here's the request I'm making to assume the role:

AssumeRoleRequest roleRequest = AssumeRoleRequest.builder()
    .roleArn(roleArn)
    .roleSessionName("test_session" + System.nanoTime())
    .externalId(sharedSecret)
    .durationSeconds(60*60) // 1 hour
    .build();
AssumeRoleResponse assumeRoleResponse = stsClient.assumeRole(roleRequest);

I can literally take the role from the error message, find that exact role in the AWS console, take the user from the error message, and find that in the role's trust policy. I have no idea where to go from here.