You either block it or you don’t.
Not exactly. You can pick apart the headers and find out if the packet is refered from a page from a specific approved site. Sure, it takes some temp files to set everything up for the initial transaction, but it's doable.
I would bid 80 hours at my normal bill rate and promise the filtering, and a cute little web app to control it.
/johnny