[abcdefg12]

Of course it can.

[kmeisthax]

So, the CloudFront setup process only surfaces S3, ELBs, API Gateways, Mediastore, and Mediapackage domains as origin domains. I do notice that it will let me type in an arbitrary domain - is that how you're supposed to stick bare EC2 instances behind CloudFront? Just provide it something like realoriginserverplsdonthack.example.com and use some other method (e.g. VPC configuration) to prevent bypassing CloudFront?

[attentive]

Correct, you can put multiple instances (A records) there, if on route53 you can also use healthchecks, geo etc.

If you want to lock ec2 access to cloudfront only you can do it in SG with "managed prefix list for CloudFront".