On documentation https://cloud.google.com/storage/docs/gsutil/commands/acl#ch it says that this command gsutil acl ch -g my-domain.org:R gs://gcs.my-domain.org should grant access to users from domain my-domain.org but I am not sure if this means the referrer of the request to the bucket should have my-domain.org. Can you explain?
And if not then is there a way to protect contents against hotlinking?
No, that refers to users who are logged in with the Google Apps domain @my-domain.org.
There is currently no way to condition ACLs to prevent hotlinking.