Over on StackOverFlow there is a thread on preventing users from downloading webfonts or hot linking web fonts. Some guy somewhere else said to use a .htaccess file with
Deny from all
which is of course duh... wrong because it will not deliver the font at all. Here is another so-called solution.
SetEnvIfNoCase Referer "^https?://([^/]*)?example\.com/" local_ref=1
SetEnvIf Referer ^$ local_ref=1
Allow from env=local_ref
But this does not work for me either...if I use the above... the fonts are not sent by apache.