This can most certainly be done, but as you said you’re limited by your WordPress theme as to what functionality could be required.
Firstly, my suggestion would be separating the S3 buckets, one for public and one for membership (easier to restrict the rulesets).
In your CloudFront distribution if you can create a secondary origin for a path such as /membership or /restricted and have that target your S3 bucket as the destination. By doing this it will all be on the same domain but will be resolving to isolated buckets depending on the path of the file.
If you set the cache behaviour for this specific origin to use trusted signers you can generate a signed cookie from your application that would grant you access to the membership only origin.
If you’re not able to add this logic into your WordPress site then instead you could take the approach of using Lambda@Edge to determine if the user should be allowed access to this content.
AWS have published a post specifically about using Lambda@Edge in this way.