Yes, this sort of prevention of embedded resources by third parties (vulgo hotlinking) is traditionally based on the referrer. Historically, browsers always sent the referrer, unless configured not to do by the user. As the latter was rather the exception, it usually worked by checking whether the referrer contained a legitimate host or nothing at all and let it only pass if these conditions were met.
Now, “recent” *) browser versions extended that control from just the user to the world of HTML and in doing so allow third parties to embed resources without having the usual referrer being sent, which in turn means the aforementioned approach (expecting an illegitimate host when embedded) wont work any longer.
I guess at this point the only viable way to address that issue is to always expect a referrer and never accept an empty field. That however will also mean all legitimate requests without a referrer would be blocked (e.g. direct requests for the resource, requests from browsers configured not to send the referrer, etc.).
Apologies if I over-explained
*) Seems to go back already three to five years.