It appears to prevent any POST requests to wp-login.php that aren’t made from a page on my-domain.com.
When the browser sends a POST request, say after submitting a form, it will include a HTTP Referrer header telling the server where the request came from.
This theoretically prevents bots submitting POST requests directly to wp-login.php as part of a brute force attack, but the HTTP referrer is trivial to fake, so it’s not actually all that helpful.