AES encryption seems like a good alternative - using a non-cloudfront server to control access to the keys. The HLS chunks would be publicly accessible, but without decryption keys they would be useless.
Is it possible to use AES encryption with Cloudfront? I haven't seen anyone else doing it, but intuitively it seems like it could work. Has anyone tried this?