Are you making download links available for restricted files with $file->url()? Files get copied to the media folder only when the URL returned by the url() method is accessed in the browser.
I suggest you to create a custom file method to generate a URL for restricted files instead of using the default $file->url(). Then point those files to a custom route from where you could handle the authorization logic or token validation. Here is a simple example:
<?php // site/config/config.php
return [
'routes' => [
[
'pattern' => 'restricted/(:any)',
'action' => function ($hash) {
// validate request
if ($file = site()->index()->files()->findBy('hash', $hash)) {
return Response::download($file->root(), 'new-filename.pdf');
}
return site()->errorPage();
}
],
],
];