So this one is a bit tricky AFAIK. There are some way to do this. Where the IAM role that the Lambda functions use, checks the Cognito Identity Pool user id and decides if the function can be accessed. I don’t think there is a way to pass the role info along to the Lambda functions.
However, the far easier way is to just manage this within your application. Check against your DB and decide if the user is allowed to perform the requested action.