I opted to just pursue the $_SESSION/$_GET/$_POST-gated script I had started before visiting StackOverflow.
The solution's not perfect, but it suits my needs, in that the scripts are accessible via my tags, but inaccessible directly. This is a simplified version of what I am doing:
File 1 is the PHP file generating the HTML page the user sees. This file creates a random value, and sets the value to the session. The script file File 2 is included using this random value as a GET parameter.
File 1:
<?php
session_start();
$gate['first_gate'] = crypt((time() * md_rand()) . 'salt');
$gate['second_gate'] = null;
$_SESSION['gate'] = json_encode($gate);
?>
<html>
...
<!--this is just the HTML page including the script-->
<script src="file_2.php?gate=<?=base64_encode(json_encode($gate))?>"></script>
...
</html>
File 2 is the PHP file functioning as a gate for the actual JavaScript code. It verifies that the randomized session variable is equal to the GET parameter, then grabs the code from File 3 using a POST request.
File 2:
<?php
$session_gate = json_decode($_SESSION['gate']);
$get_gate = json_decode(base64_decode($_GET['gate']));
//Exit if the session value != the get value
if($get_gate->first_gate != $session_gate->first_gate) exit;
//Set first gate to null to prevent re-visit
$session_gate->first_gate = null;
$session_gate->second_gate = crypt((time() * md_rand()) . 'salt');
$_SESSION['gate'] = json_encode($session_gate);
header('Content-Type: application/javascript');
?>
//This is visible via "view source" (then clicking on the script's URL)
//Grab the actual JS file, hidden behind a POST "wall"
$.post("file_3.php", { gate: '<?=base64_encode($_SESSION['gate'])?>' });
File 3 is inaccessible when directly viewing the page, as it exits without the POST data from File 2. Bots will still be able to ping it with a POST request, so some additional safety measures should be added here.
File 3:
<?php
$session_gate = json_decode($_SESSION['gate']);
$post_gate = json_decode(base64_decode($_POST['gate']));
//Exit without a POST request. Use a more specific value, other than
//the $_POST superglobal by itself (just using $_POST for illustrative purposes)
if(!$_POST) exit; //or print an error message
//Exit if the session value != the get value
if($get_gate->second_gate != $session_gate->second_gate) exit;
//Set both gates to null to prevent re-visit
$session_gate->first_gate = null;
$session_gate->second_gate = null;
$_SESSION['gate'] = json_encode($session_gate);
//Additional safety measures (such as IP address/HOST check) here, if desired
header('Content-Type: application/javascript');
?>
//Javascript code here
