Why do I get a permissions error when deploying using serverless-appsync-plugin?

Question

I'm trying to learn how to use serverless.com's AWS AppSync plugin.

I get an error when I try to deploy:

Error:
CREATE_FAILED: GraphQlApi (AWS::AppSync::GraphQLApi)
User: arn:aws:iam::705076103456:user/cloud_user is not authorized to perform: appsync:TagResource on resource: arn:aws:appsync:us-east-1:705076103456:* with an explicit deny (Service: AWSAppSync; Status Code: 403; Error Code: AccessDeniedException; Request ID: 7695c105-653f-4bff-9b73-05c640d6e2b4; Proxy: null)

The plugin documentation doesn't mention anything about needing to explicitly provide permissions to deploy, so I assume there is something wrong with my serverless.yml:

service: daveh-football-api
provider:
  name: aws
  deploymentBucket:
    name: daveh-mindgym-football-api2
    serverSideEncryption: AES256
  stage: ${opt:stage, 'local'}
  runtime: nodejs14.x
  logs:
    restApi: true
  tracing:
    apiGateway: true
    lambda: true
  region: us-east-1
  profile: acloudguru
  apiGateway:
    shouldStartNameWithService: true

plugins:
  - serverless-deployment-bucket
  - serverless-webpack
#  - serverless-domain-manager
  - serverless-offline
  - serverless-plugin-stage-variables
  - serverless-appsync-plugin

custom:
  appSync:
    authenticationType: API_KEY
    mappingTemplates:
      - type: Query
        request: false
        response: false
        dataSource: query
        field: hello
    dataSources:
      - type: AWS_LAMBDA
        name: query
        config:
          functionName: query
    apiKeys:
      - name: myapikey
        description: 'My api key'
        expiresAfter: 30d

functions:
  ping:
    handler: src/rest-handler.handler
    events:
      - http:
          method: GET
          path: ping

  query:
    handler: src/query-handler.handler

resources:
  Resources:
    GatewayResponseDefault4XX:
      Type: 'AWS::ApiGateway::GatewayResponse'
      Properties:
        ResponseParameters:
          gatewayresponse.header.Access-Control-Allow-Origin: "'*'"
          gatewayresponse.header.Access-Control-Allow-Headers: "'*'"
        ResponseType: DEFAULT_4XX
        RestApiId:
          Ref: 'ApiGatewayRestApi'
    GatewayResponseDefault5XX:
      Type: 'AWS::ApiGateway::GatewayResponse'
      Properties:
        ResponseParameters:
          gatewayresponse.header.Access-Control-Allow-Origin: "'*'"
          gatewayresponse.header.Access-Control-Allow-Headers: "'*'"
        ResponseType: DEFAULT_5XX
        RestApiId:
          Ref: 'ApiGatewayRestApi'

There's also a rest endpoint defined in this serverless.yml. Before I added the AppSync stuff, it deployed fine.

Here are the dev dependencies from my package.json:

    "serverless": "^3.12.0",
    "serverless-appsync-plugin": "^1.13.0",
    "serverless-deployment-bucket": "^1.5.2",
    "serverless-offline": "^8.5.0",
    "serverless-plugin-stage-variables": "^1.10.1",
    "serverless-webpack": "^5.7.0",
    "ts-loader": "^9.2.8"

Any ideas what I'm missing? All I'm trying to do is get a "hello world" graphql thing deployed right now.