Maybe a solution will be to create an endpoint on your domain. Something like:

https://punks.usehive.com/avatar/asgarth/5423

That will resolve in the punk image only if the account asgarth own the punk 5423. Otherwise in a 404 error.
Will be slower the first time, But after that the CDN and the cache should handle it pretty well. And every 6/12 hours the CDN will expire and will need to be validated again.