Selectively requiring authentication (based on referrer, user-agent, cookies, etc.) is not a supported feature of the internet. If you want to go ahead and implement it anyway, that's fine - but it's pointless to get mad when it doesn't really work the way you hoped it would.
More generally, everyone who publishes on the web should understand that user agent is to be taken literally and at face value. The browser does what the user tells it to do, which may not be what your server asks it to do. A good browser will do things like lie to your server on behalf of the user when you try to get it to act counter to the user's interests.
Selectively requiring authentication (based on referrer, user-agent, cookies, etc.) is not a supported feature of the internet. If you want to go ahead and implement it anyway, that's fine - but it's pointless to get mad when it doesn't really work the way you hoped it would.