Still smells like an API flaw to me
Possibly a session-hijacking flaw that allows a bad actor to MITM a legitimate session between a device and Amazon's servers and use it to add a bogus device?
Possibly a session-hijacking flaw that allows a bad actor to MITM a legitimate session between a device and Amazon's servers and use it to add a bogus device?