We just stopped using basic authentication and are instead using Google and Facebook authentication or as an alternative One-Time-Passwords. All authentication is against a white-list of emails (we actually only store a hash of the emails).

But I never felt comfortable with relying on the fact that no one could guess a file name using hashes and hence we could put all our images on S3 and host them via a CDN.

I did not want to go through signing each URL for CloudFront which would have had an impact on cashing, but a few weeks back I logged on to CloudFront and read about signed cookies.
After a few trial, we are now limiting S3 access to CloudFront and are using signed cookies that are only set when a user is authenticated.

This is still a bit awkward because the cookie has to be set for the CDN and the authentication has to be passed through to the CDN, but it works.
Since it will be easy with a CNAME I’ll try that next to remove the complexity of the request sequence.