You can't just add headers to clientside image requests without
basically manually fetching and drawing it to a canvas,
and the UUIDs are random enough that they won't be brute forced.
So, for vastly more simple client code, remove the auth guard.