The easiest way to handle this is to deal with the doc through ActiveStorage where you let rails upload it into an amazon s3 bucket.
Active Storage will then generate an indirect link which goes through your app, and returns a signed time-limited AWS link.
You can add logic at the active storage controller to make sure the user is logged in, and if they copy and paste the redirected link - it won’t work for long.
There is some good chat here about how it would be really nice to avoid this complication
but it should give you some background info anyway!
Alternatively, you could roll your own - I assume the private content doc you linked is what rails is using under the hood.