Aws-cli: aws s3 presign AWS Signature Version 4

So your browser is not ever going to use sigv4 request, it is just performing a basic GET request. To interact with KMS encrypted objects in S3 you need to make a request to that presigned URL using sigv4. Which means you need to do the request yourself following the sigv4 spec that you linked in your question.

Here is a blog post that outlines how to make a GET request to a KMS encrypted key object with sigv4.
https://aws.amazon.com/blogs/developer/generating-amazon-s3-pre-signed-urls-with-sse-c-part-4/
Relevant code segment is at the bottom of that page.

aws:kms and sigv4 presigned URLs can be used without customer provided encryption keys. I've been using AmazonS3.generatePresignedUrl() to generate these browser accessible URLs in place of the aws-cli.

Ah sorry my bad.

You can set s3 to use sigv4 by default in the cli using:
aws configure set default.s3.signature_version s3v4

Is there a reason that couldn't be the default? It seems to work with both SSE algorithms.

While we have changed the requests to default to sigv4, we can't change the default of generate presigned url because it would be a breaking change (since region would now be required).