Lets establish facts here ... you say you can connect to the public ip with a browser (firefox, chrome, whatever), correct ? Well, if that works, I guarantee you that's because there are two ports exposed on the public ip, 7474 and 7687. That's easily confirmed too, just
nmap -p 7474 <public ip>
nmap -p 7687 <public ip>
and both ports will show they are open.
Next you claim that you can browse to the instance when you tunnel out port 7474 from the private ip, but you can not connect. Is that the correct situation ? Again, easily confirmed, because after your ssh command you check this
nmap -p 7474 localhost
nmap -p 7687 localhost
and you'll see that the second port is not open.
If the above is the situation (and that's what I understand from your initial request), this will solve your problem :
ssh -N -L 7474:clusternodeip:7474 -L 7687:clusternodeip:7687 user@myec2instance -i mypemfile
You can actually see the browser needs both ports. The browser-url is obviously to 7474, the connection itself however, requires you to specify the bolt-url.
Does that make sense ?