HLS streaming session/token

Currently after authenticated user got a link to the master playlist he’s practically able to grab the link and continue use it outside of peertube (re-stream).
Problem is missing session, (similar to rtmp session), token, or any other form of authentification for all m3u8/ts requests.
For example socket.io or rtmp doesn’t have such problem – all requests have ?accessToken in the query (or rtmp session) and therefore protected – so you’re in control of who is watching which title and able to drop/ban user, but this is not a case with a plain HLS link (static/streaming-playlists/hls/uuid/filename) – here https requests come without token and indistinguishable among legitimate users or « pirates ».
Could you suggest is that possibly to achieve and what would be recommendations for a plugin/modification?