Another very useful alternative is using a separate CDN to serve the files with token authorisation - you add some parameters to the URL, and it will check and allow/deny the DL.
I had good results with both Google-Cloud-storage and BunnyCDN doing that.