Be advised, some JavaScript fetch methods do not properly use the headers, and even old school 2011-2013 apache methods have been known to fail.

I think you are over thinking, because, in order to get that URL, a member would have already needed to be logged in.

You are actually stopping hot-linking with that code. Firefox is notorious for breaking those rules. And failing in many instances of such referrer code being checked.

Plus, anyone wanting to actually get that video, who has any smarts, can set the referrer header themselves. I tried to explain that the server itself doesn't know if your logged into UNA. I personally can think of a dozen ways around that check.

Personally, how I tackled the situation of subscriber content on my site (paid for videos, photos, etc) was a proprietary proxy that only streams or sends the image if subscribed to the content. Which, is fool proof.

Anyhow, what ever you feel is best for you, is all that matters. 😊