Does the example sketch work without alteration (apart from adding secret.h details) or does this also fail?
From your description it does seem there is some problem with the certificate/secure connection on the ESP and AWS is rejecting/ignoring it.
The example sketch implement pubSubErr() that may help in determining the cause of the connection issue, what do you see in the Serial monitor?