Is there a way to truly restrict domain access to object storage (Linode)?

I’ve been serving some vector map tiles from an object storage bucket on Linode. It’s fantastic, for the paltry price of a bucket you can basically serve GL accelerated vector maps!

But because the map viewer is a client side static site (on Netlify), I have to put the bucket URL in the frontend code. I can access this URL and the data from anywhere.

I know there are HTTP header policies, but these are not robust because browsers can strip headers and ignore these policies.

Does using a bucket just mean resigning oneself to the fact that the data will make love to the world? Do I need to spin up a server that can obscure the requests somehow?

How to be static and secure?