Based on everything I've read and tried you can't do it. You can deny a directory listing, you can completely deny access to the files in a directory based on many things like IP, user etc. and you can allow access too.
... but you cannot both allow a web visitor to access an image or data file through html and php and simultaneously deny them direct access to that same file through a browser. For individual files, .htaccess allows access or it doesn't. Web visitors can do a "view source" to see the image or data file and then just type the URL to it.