You cannot at the same time allow access to file (via embedding) and disallow access to file. That’s just not practical and you waste your time on holes.
The comment is quite right that you would need to stream file from protected location for working access control. Even then if client-side viewer has access to it then it’s a non-issue to get the file itself out.
Note that WordPress core is completely engineered to reside in web–accessible location. Splitting some of the media from that and implementing streaming that a quick and trivial customization.