Around 13:20, it is mentioned that hash (digest) is being created using a private key which AWS has. This sounds incorrect as hash calculation does not require any kind of key. Was this a mistake?
The hash is taken of the log file itself, then Cloudtrail itself is uses a region specific private key to sign the digest. You/we have access to the public key for the region to validate the digest. Source: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html