Restrict Direct URL Access to Mapbox GeoJSON Layer Files?

I am using Tomcat. The Mapbox Mapping application utilizes GeoJSON layer files for elements on a map. Sometimes these GeoJSON layer files contain proprietary data. What is the best way to restrict direct URL access to Mapbox GeoJSON layer files, but still allow Mapbox to utilize these files? If I put a security constraint in the web.xml, Mapbox is not "logging in" with a specified role, so the Mapbox access is blocked. It may be that it is beyond Tomcat's architecture to allow application access and restrict direct URL access.