Well, you can, but it probably isn’t worth the trouble. You’d have to set up a very-short-lived database of IPs that have requested a page within the last 60 seconds or 5 minutes or whatever is appropriate, and allow only those IPs to receive images associated with any given page. (No, I have no idea how to do this. But I think it’s what you would have to do.)
But wait. You said that your own site isn’t https. So where are these referer-less requests coming from? Seems like, by definition, they’re not coming from your own site. So just block them.
Edit: In recent months, I’ve seen a big upsurge in referer-less image requests from mobiles, particularly Androids. So far I haven’t figured out how to verify it, but I’m pretty sure they’re not viewing the real, full-size image. I think it’s coming from image search. My solution, based on my specific individual circumstances*: ignore them.
https://subwaysurfers.vip/ https://psiphon.vip/ https://hillclimbracing.vip/