We want to allow our customers to create AWS resources (let's say EC2, S3, and VPCs) and then at the end of the month bill each of them for whatever they used.
Typical restrictions apply:
The AWS documentation makes it seem the way this should be done is that we provision our AWS account, that account creates an organization, then every customer would be an account that belongs to the organization.
The documentation seems clear that we can get price breakdowns of each account within the org, but we're not 100% sure.
The part where we totally lose confidence is trying to figure out how to programmatically generate billing data at the end of the month. Documentation is very unclear on if this is possible (though it seems obvious it should be?)
Also, we find references in some places of people saying actually there should be one organization per customer, rather than one account per customer, and we wonder the pros and cons of architecting our solution like that, rather than one account per customer all in a single org.
Using AWS Organizations, you could allocate one AWS Account per customer. Each AWS Account is totally isolated, just like your AWS Account is isolated from my AWS Account.
Each AWS Account would have its own bill, but the payment will roll-up to your AWS Organizations parent account so you will be billed for the total of the child accounts. You can programmatically retrieve the billing information at both the child and parent levels.
Please note that creating resources in child accounts means they will be totally isolated. If you want to put resources in the same VPC, then you would need to use VPC sharing: A new approach to multiple accounts and VPC management | Networking & Content Delivery
You mention that your want to allow your customers to create their own resources in their Account. This will require you to create an IAM User (or multiple) so they can use the Account. You will maintain access to the child account via an IAM Role that you can assume from the parent account. Your challenge will be to grant them sufficient permission to create and manage resources, but not too much permission that they could delete your IAM Role and therefore remove your access to the account.
I suggest you create an AWS Organization and a child account so you can experiment with it and understand how it will work. There is no charge for the Organization -- you only pay for AWS resources that are used.