I think the key line is: How can I allow access to content via a script, but dissallow it via a direct URL?

So accessing via the cgi is what he wants, just not accessing the file directly. The simple solution is to put the file(s) in a directory that is accessible by the apache user (or cgi user) but not under the document root. The CGI would then be responsible for verifying the session/auth and presenting the file if it needs to, or the error page if the file access is not allowed.