At https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticcontainerservice.html#amazonelasticcontainerservice-container-instance we can see the resource-type documented as:

arn:${Partition}:ecs:${Region}:${Account}:container-instance/${ClusterName}/${ContainerInstanceId}

At https://docs.aws.amazon.com/AmazonECS/latest/developerguide/security_iam_id-based-policy-examples.html#IAM_container_instance_policies there is an example which looks like this:

arn:aws:ecs::<aws_account_id>:container-instance/<container_instance_UUID>

I tried the first version with the ListTask action and did not get it to work. I solved it by using the wildcard * as resource and a condition for the cluster. I guess the Service Authorization Reference is wrong. In the past I also had problems with RunTask and its resources statement which I could not resolve. Maybe there was some kind of rework in the past which did not make it to the Service Authorization Reference?

The Service Authorization Reference is using the correct ARN format. The issue in the guide is that it was using the older ARN format from before the cluster name was added to the ARN formats for container instances, services, and tasks. I've made an update to the guide to correct the ARN formats and that should be live soon.