If you have AWS environment vars set on the host (like AWS_SESSION_TOKEN), the environment vars in the play would need to fully override those to avoid mixed credentials. You could check if it’s working with amazon.aws.aws_caller_info module – Get information about the user and account being used to make AWS calls — Ansible Community Documentation.
environment isn’t a secure way to pass credentials though. You could use module_defaults set at the play/block level instead, like this amazon.aws/tests/integration/targets/iam_group/tasks/main.yml at stable-7 · ansible-collections/amazon.aws · GitHub. The module options access_key, secret_key, session_token (you could swap those 3 out with aws_profile if you go that route) and region will be passed to all action plugins and modules in the amazon.aws and community.aws collections.