We want to make the data and imagery available to the public via our website but we are not a hosting service for other entities. It is especially frustrating as IT has reported these other entities are accounting for more than 30 times our own network traffic to the image services.
I also want to make sure this is not a violation of any ESRI policy.
I normally share content to a group only and then create an item for my app, register it, and use OAuth in the application to access the services, and you can even provide a referrer for your app.
Sorry, I misinterpreted the use case. I think that using a self-hosted resource proxy as described in the 'Application login' section would be an option. The calls to the secure service from the public app would go through the proxy.
You could disable directory browsing but the service is still available if you use browser developer tools to monitor network traffic. If your organization has a load balancer managing traffic coming in, maybe you could set up a url referrer allow list for your services so it blocks anything coming in that's not from your app. I'm not a network engineer so I can't be of anymore help there. I don't think there's anything natively available in ArcGIS Server to do this.