You can't efficiently protect a mod_rewritten URL (if it's possible at all). An attacker would just have to access the physical location that the protected URL gets rewritten to - which you would be leaving unprotected in this scenario.

You will still have to do this on PHP side, I think. If your PHP is running as an Apache module, it should be possible to check whether the requested resource belongs to the protected directory (either through QUERY_STRING or some other indicator), and then send the proper headers requesting authentication as described here in the PHP manual.

Which method of removing index.php from the URL are you using?

If you're using the "File and Directory Check" Method, you can modify the stock Apache mod_rewrite rule to exclude a certain directory while still allowing all other requests to be run thru index.php.

For example, using the base "File and Directory Check" rewrite rule:

<IfModule mod_rewrite.c>
    RewriteEngine On 
    RewriteCond $1 !\.(gif|jpe?g|png)$ [NC]
    RewriteCond %{REQUEST_FILENAME} !-f 
    RewriteCond %{REQUEST_FILENAME} !-d 
    RewriteRule ^(.*)$ /index.php/$1 [L] 
</IfModule>

With this method, Apache checks to see if the file or directory exists -- if it does the file is served to the browser; if it doesn't exist then it's sent thru index.php and parsed as an ExpressionEngine URI.

To exclude your directory, modify the rewrite rule by adding your .htaccess Basic Authenticated password-protected directory:

<IfModule mod_rewrite.c>
    RewriteEngine On 
    RewriteCond %{REQUEST_URI} !^/(secret-directory|secret-directory/.*)$
    RewriteCond $1 !\.(gif|jpe?g|png)$ [NC]
    RewriteCond %{REQUEST_FILENAME} !-f 
    RewriteCond %{REQUEST_FILENAME} !-d 
    RewriteRule ^(.*)$ /index.php/$1 [L] 
</IfModule>

I'm not fully aware of what all the limitations are with the Freelancer License, but I answered a similar question about password-protecting pages in ExpressionEnginethat may prove helpful in your situation.