The idea is that you would use something like a path matcher (to avoid running your matcher all the time because I figure it could be costly to run a lot) + your custom matcher, where your custom matcher would verify that the token is valid and return true if it is, false otherwise.
If the matcher passes, then you can use the rewrite handler to allow access.
Maybe something like this (assuming a hex digits for the token):
So basically, uses a regexp to match the path and extracts capture groups, where the first capture group is the /file/foo.jpg path. If that regexp matches, and your custom signature check passes, then you can rewrite using the first capture group as the new path.
Take a look at matchers.go which is where the majority of the request matchers are implemented in Caddy: