HTTP_REFERER is not a secure method. It is easily spoofed.
I would suggest that you assign a unique identifier to each user, and set up a database to track the purchases. Your download script would then be able to check that database to confirm that the user is allowed to receive the file, and record each download attempt to prevent multiple downloads. The exact coding would depend on the payment method you use. If the method is internal to your website, then you just modify your own scripts. If you use an external payment processor, you'll need to work with their payment confirmation methods.