It's not really possible to stop 100% of leeching - the aim is to stop 99.9% of it
It's a piece of piss to set up a curl request with the referer and user agent faked - the web server cannot tell the difference from a real surfer.
However, you just want to stop a massive bandwidth hit from having tons of joe surfers looking at it ..
This solution looks pretty good:
http://www.serverwatch.com/tutorials...le.php/1132731
Doesnt use rewrite but looks effectively the same. Just put a .htaccess with 'Allow from All' in it, for the dirs you want to leave hotlinkable, and modify the extensions to include the file types you want to protect.
If you want to stop people from sucking 2 gigs of content from your paysite, that's another story - the way I would go at it would be to pipe logs to a process that can analyse activity on the fly .. then set it to watch for suspicious activity that indicates leeching; then kill the account or 'Deny from' the IP of the leecher.
OR, set the document root to be a PHP script that can handle content negotiation.