My platform uses
Allow from 127.0.0.1
You should implement an authentication system in all your API calls if you want to restrict their access.
Basically, you cannot prevent a user from opening the Network tab from the Devtools and watching the requests that your client makes to the server API: an advanced user can see the parameters sent at each request and resend the request with the same or different parameters.
If this file is accessible through AJAX, it is accessible for the client anyway: what you have to do is make sure that the user cannot access more things than the AJAX calls allow him. To do that, secure your API, e.g. requesting a user token for every call: the server would know which user accesses the API and you can handle authorization from that point.