We can use CloudFront distributions to secure the S3 object
Here's step by step guide
The term I mentioned above about the valid token can be checked by trigger a lambda function
when accessing to a signed url
https://github.com/aws-samples/amazon-cloudfront-signed-urls-using-lambda-secretsmanager