Ok, I believe this kind of access key will require us to pass the session token along with the key/secret pair. I’ve opened an issue about this in our tracker.
In the meantime, if you do not set any credentials in the environment or via a config object, then TileDB (via the AWS C++ SDK which we use internally) should load the credentials from the AWS CLI config (if you have set the credentials with aws login). In that case, I think the token should be correctly included and the request may work.