Hello!
No client-side(in browse) solution would ultimately protect the source URI, it may make it more difficult to obtain bu as the demasking is done in teh browser it hass all the necessary code for them to follow inline, so it's just a matter of calculation. A server-side solution is a black-box one - unless they have their hands on teh code to know the exact access-control measures being applied there's no way for an 'attacker' to emulate the proper flow.
I am assuming the resources to protect are served from teh same host/server/site, if not please clarify. Is there any way I can see the site as is now(just the front end for now)?
Kind Regards,
Dobri