If you wish to prevent the firmware file from being downloaded from your HTTPS server, then you could add client authentication to your devices. This means that only an HTTP client with correct authentication is granted access to the file.
I know of two authentication mechanisms that the ESP IDF HTTP client supports. Firstly the good old HTTP authentication in basic or digest variant (just make sure you use HTTPS, not HTTP for basic auth):
https://docs.espressif.com/projects/esp ... entication
The advantage is that it's quite simple to do on both device and server side. The password could be shared between all your devices, or you could issue and send temporary passwords in whatever OTA command you send to the device. I just love that the HTTP client accepts a URL with a user name and password embedded into it (i.e.
https://user:pass@server.com) - this really simplifies the job of issuing OTA commands with single-use logins.
Secondly you can do it with HTTPS certificates, i.e. mutual TLS. I don't know of a simple getting started guide existing, but the HTTP client does support it.
https://docs.espressif.com/projects/esp ... t_config_t
The advantage is that you can use the full power of the x509 certificate chain to verify the client as well as the server using trusted CA-s. But the custom PKI is a bit of work, though.