diff --git a/app/controllers/live_streams_controller.rb b/app/controllers/live_streams_controller.rb
index 6a523f17..2040e663 100644
--- a/app/controllers/live_streams_controller.rb
+++ b/app/controllers/live_streams_controller.rb
@@ -5,8 +5,16 @@ class LiveStreamsController < ApplicationController
   # Therefore, it is extracted into a separate controller
   include ActionController::Live
 
+  skip_before_action :deny_access_from_render_host, only: :download_submission_file
+  skip_before_action :verify_authenticity_token, only: :download_submission_file
+  skip_before_action :set_sentry_context, only: :download_submission_file
+  before_action :require_user!, except: :download_submission_file
+
   def download_submission_file
-    @submission = authorize AuthenticatedUrlHelper.retrieve!(Submission, request, force_render_host: false)
+    @submission = AuthenticatedUrlHelper.retrieve!(Submission, request)
+    # Set @current_user with the corresponding learner for Pundit checks
+    @current_user = @submission.user
+    authorize @submission
   rescue Pundit::NotAuthorizedError
     # TODO: Option to disable?
     # Using the submission ID parameter would allow looking up the corresponding exercise ID
diff --git a/app/controllers/submissions_controller.rb b/app/controllers/submissions_controller.rb
index 14fd2eb4..b0b41a7e 100644
--- a/app/controllers/submissions_controller.rb
+++ b/app/controllers/submissions_controller.rb
@@ -498,6 +498,7 @@ class SubmissionsController < ApplicationController
 
   def augment_files_for_download(files)
     submission_files = @submission.collect_files + @submission.exercise.files
+    host = ApplicationController::RENDER_HOST || request.host
     files.filter_map do |file|
       # Reject files that were already present in the submission
       # We further reject files that share the same name (excl. file extension) and path as a file in the submission
@@ -505,7 +506,7 @@ class SubmissionsController < ApplicationController
       next if submission_files.any? {|submission_file| submission_file.filepath_without_extension == file.filepath_without_extension }
 
       # Downloadable files get a signed download_path and an indicator whether we performed a privileged execution
-      file.download_path = AuthenticatedUrlHelper.sign(download_stream_file_submission_url(@submission, file.filepath), @submission)
+      file.download_path = AuthenticatedUrlHelper.sign(download_stream_file_submission_url(@submission, file.filepath, host:), @submission)
       file.privileged_execution = @submission.execution_environment.privileged_execution
       file
     end
diff --git a/app/policies/submission_policy.rb b/app/policies/submission_policy.rb
index 0dd3e950..4f049148 100644
--- a/app/policies/submission_policy.rb
+++ b/app/policies/submission_policy.rb
@@ -6,14 +6,16 @@ class SubmissionPolicy < ApplicationPolicy
   end
 
   # insights? is used in the flowr_controller.rb as we use it to authorize the user for a submission
-  # download_submission_file? is used in the live_streams_controller.rb
-  %i[download? download_file? download_submission_file? run? score? show? statistics? stop? test?
-     insights? finalize?].each do |action|
+  %i[download? download_file? run? score? show? statistics? stop? test? insights? finalize?].each do |action|
     define_method(action) { admin? || author? || author_in_programming_group? }
   end
 
-  def render_file?
-    everyone
+  # download_submission_file? is used in the live_streams_controller.rb
+  %i[render_file? download_submission_file?].each do |action|
+    define_method(action) do
+      # The AuthenticatedUrlHelper will check for more details, but we cannot determine a specific user
+      everyone
+    end
   end
 
   def index?