All my images are stored in ECR, and deployed to ECS. Up until now, I've used S3 as docker cache backend. Due to rising costs, I've decided to switch to ECR. This is the code in question:

docker buildx build --push \
    --cache-to type=registry,region=${REGION},ref=xxx.dkr.ecr.eu-west-1.amazonaws/build-cache:${SERVICE}-${ENV},access_key_id="$AWS_ACCESS_KEY_ID",secret_access_key="$AWS_SECRET_ACCESS_KEY",session_token="$AWS_SESSION_TOKEN",mode=max,image-manifest=true,oci-mediatypes=true \
    --cache-from type=registry,region=${REGION},ref=xxx.dkr.ecr.eu-west-1.amazonaws/build-cache:${SERVICE}-${ENV},access_key_id="$AWS_ACCESS_KEY_ID",secret_access_key="$AWS_SECRET_ACCESS_KEY",session_token="$AWS_SESSION_TOKEN" \
    --build-arg AZURE_USERNAME="$AZURE_USERNAME" \
    --build-arg AZURE_PASSWORD="$AZURE_PASSWORD" \
    --provenance=false \
    --target $SERVICE --tag "${IMAGE_NAME}:${VERSION_TAG}" .

First run works just fine - I can see the new ECR repo being populated properly. However, on the 2nd run, I get this:

ERROR: failed to solve: error writing manifest blob: failed commit on ref "sha256:xxx": unexpected status from PUT request to : 400 Bad Request

Now, I see no manifests in ECR. There are just images, with their digest and image tag, and size, and all that. 1 image per service (my pipeline deploys 5 services at once, meaning 5 images, and 5 caches to go with it). Images sit in one repo, cache sits in another one. I didn't have this problem with S3 as backend, because there were all these various folders containing manifests, blobs, etc. Apparently, there is some issue with ECR as backend that I don't really understand. According to documentation I should be good, I set oci-mediatypes and image-manifest to true. So... what am I missing?