If you really want to manage access through WP, then direct access of the files must be prevented and all requests need to be routed through WP. You cannot use WP to restrict direct access because if a requested file exists, it’s impossible to get to WP to check credentials. This is why Ross suggested using host management.
A quick and dirty way to force access through WP is to prevent the file from being interpreted unless access is through WP by starting every file with something like
if ( !defined('ABSPATH') ) die("Cheatin' eh?");
One way to access files through WP is to request through /wp-admin/admin-post.php. The file does a specific action based on the passed “action” parameter. You would need to add a callback for this action as part of theme or plugin code. The callback can check user capabilities and whatever else before including the desired file, which might also be passed as an URL query string. Because WP is including the PHP file, ABSPATH is defined and the rest of the file can be interpreted.
The sort of URL that would cause all of this to happen might look something like
example.com/wp-admin/admin-post.php?action=do_my_file&my_file=target
admin-post.php then does the action “admin_post_do_my_file”. The callback added to that action can check user credentials, then do include ABSPATH . "/my-files/{$_GET['my_file']}.php";
