結論としては「不要」とのことです。
APIGatewayとEventBridge経由のLambdaのeventの中身が異なっており、APIGatewayで受け取ったbody部分がEventBridge経由は別物(payload)となっており、そもそも検証できずハマっていたところ、下記の回答を見つけることができました。やれやれ。
Just wanted to provide an update to this issue.
There is no need to validate HMAC with EventBridge. Only Shopify is able to produce events into the partner event source that you would have configured in the App Setup for your app.For anyone still doing the validation and having issues with some webhooks, we’re currently trying to resolve an issue with Amazon and json encoding that in some cases causes an issue with the generated HMAC.
It’s best to simply remove HMAC validation for EventBridge and Pub/Sub deliveries as these are both considered trusted delivery channels. Only HTTP webhooks require HMAC validation.
https://community.shopify.com/c/shopify-apis-and-sdks/amazon-eventbridge-webhook-verification/td-p/891705