At this point I'm snookered - I feel like if my password is ever compromised I'm screwed, but it's not like I can just start a new account because all my digital purchases, my Kindle, my Echo, etc are tied to my old account.
Basically: do yourself a favour and sign up to distinct services with distinct accounts and don't have one global account for everything.
I think your conclusion and advice is good. Separate your accounts for different services.
> I've hit an impasse with support, they'll only accept a notarized identity verification form and affidavit to proceed, which isn't that easy or cheap to do outside of the USA.
This should in fact be very cheap most places in the world. Do they not have notaries public in your country?
Generally you just need to sign a legally binding form asserting under penalty of perjury that you are so-and-so, and this is your account. You do this in front of the notary, and they inspect your government ID to confirm it's really you. Then the notary stamps the document to indicate that they've witnessed you signing it, and have inspected your id. Now you're done.
A number of online businesses require this in certain circumstances, and it's something that you can do in about 10 minutes at a store. In the USA, stores like the UPS Store, Kinko's Copies, etc. often have notary services. If you work for a medium-sized company or larger, your company will typically have a notary in its business center who may be willing to notarize personal documents for free. It should be a pretty simple process to complete, if inconvenient.
I used AWS for a bit and then stopped, and then forgot about it. I've kept my Amazon account up to date, but not my AWS details. For years I continued to use my Amazon account without ever needing to use the MFA, so forgot I ever activated it. This year they've suddenly decided to enforce the MFA globally. I blame myself for not removing the MFA when I closed the account, but you can hopefully see why it's a frustrating user experience also. And like I say, the net result is a less secure Amazon account for everything but AWS until I can remove the MFA requirement.
Re notarizing, my understanding is that I need to use a US notary service for it to be valid for a US document (eg available via the US embassy).