There are several possible security from hotlinking settings:
In the signature, you can optionally specify the lifetime, the IP-address (es) for which the signature is valid, and the maximum number of IP-addresses that can use this URL.
In short - any of these three checks (for the correct IP, coockie or referrer) is enough for the request to be accepted and processed. Hotlink can not fake any of these parameters