Posting here in case anyone else has this issue. 

So here's the essential problem: the directions for setting up SSL for Jira (here:  https://confluence.atlassian.com/adminjiraserver073/running-jira-applications-over-ssl-or-https-861253906.html)  instruct you to create a new Java keystore and put your custom SSL certificates in it.  Unfortunately, this will prevent Java from successfully completing any SSL connection to a server whose SSL certificate chain is not in the new keystore. 

Since the cloud migration assistant needs to talk to AWS servers over SSL, it fails because it cannot create the SSL connection without trusted certificate chains (that are missing from the custom keystore created following the directions above).  Normally, java would use the default keystore here, which includes the necessary root certs:

e:\Atlassian\jira\jre\lib\security\cacerts

To resolve the issue, I merged the cacerts into my keystore file.  In the example below jira.jks is the custom keystore that has my server's SSL certs in it.  Obviously set your passwords for your keystores as necessary (default is changeit) and make a backup copy of your jks file before doing this.

e:\Atlassian\jira\jre\bin\keytool.exe -importkeystore -srckeystore e:\Atlassian\jira\jre\lib\security\cacerts -destkeystore e:\Atlassian\jira\jira.jks -srcstorepass changeit -deststorepass changeit

After merging the cacerts file with my custom keystore and restarting Jira, the migration wizard checks now all work as expected.

There's probably some fine print somewhere that I could've read to separately specify the cacerts file or something, but this worked in a pinch and our on-prem server's days are numbered anyway.