You can tell clients to check the http referrer for your domain. That would (mostly) stop people from posting now-useless destination URLs online.
http referrers are easily spoofed, of course, but it'll be enough to prevent most people from sharing secret urls on twitter. You could also pivot and allow people to upload files to your own server, but that's a different story.
That would hurt the UX. For example if someone gets the link to a blog-post-in-the-making they shouldn't have to go through Gumroad to access it every time.
http referrers are easily spoofed, of course, but it'll be enough to prevent most people from sharing secret urls on twitter. You could also pivot and allow people to upload files to your own server, but that's a different story.