As says @David Houde, such logic should be implemented in the application, for instance in the following way:
The images uploaded by your users will be stored outside of the web site root directory, so they cannot be accessed directly using a URL,
You need to setup your website to handle virtual URLs (the most simple here being a rewrite rule internally passing the request URL as parameter to some PHP (or whatever) script),
Then, in your script you will have full latitude to check whether the request match your policy,
And if the request is legitimate, your script will be able to open the requested image file and send its content as web server answer.