Rclone delegates all of this stuff to the AWS Go SDK so the problem will with rclone's use of the SDK or perhaps a bug in the SDK.
By rclone? Can you tell that?
That looks like the case in the log. Are there requests which work too? Or do they all fail?
Is that how rclone picks up the auth? From an environment variable? That would explain why it isn't being updated.
Can you get rclone to fetch the STS token itself? It should know how to do that (at least I know others have done it successfully!) If it fetches itself then it will know how to update it.
If you look at this post you'll see a description of how to make rclone fetch the STS token itself using the profile.