I mean serve all images through script. That way when you copy the source url from it you'll end up with a .php file, so you'd have image.php?id=5 for an example. That is used to lookup the image and simply passes it through. Since it's a PHP script you can bind any rules to it as you would any other script, but the only difference is that you must return an image for it, so make sure you have a default image indicating its locked or whatever in case they don't pass the check.
Then make sure all the images are above the directory root so you cannot access them directly.
.htaccess wise, you can determine if it is an image, then take that name and forward it to the image script. This way you can still have myimage.jpg, but instead maps to image.php?id=myimage.jpg for example.
The goal is to simply make sure that a script controls access to the resource. The most effective way to guarantee that is to make the resource accessible only through the script.