If you’re using Cloudflare in front of the content, running hotlink protection at the origin is not going to work correctly.
Hotlink protection is based on the HTTP “referer” request header typically, and this is not included in the cache key when Cloudflare caches your content. This means that the first request to your resource will be cached and all subsequent requests to the same URL will get the same cached response. In practice this means some people will be blocked incorrectly, and others will be allowed incorrectly.
The right approach here would be to disable the hotlinking logic at your origin and enable Cloudflare’s hotlinking feature, or use the more flexible Firewall rules feature to define your own logic on Cloudflare.