I decided to try an experiment - I banned my own IP and tried to access the NZDWFC site. I got a 403 error, and the 403 script logged the error properly, so the scripts were OK.
I then tested the hotlinking by translating a page in Google. The graphics loaded. The image hotlinking protection on the two subdomains was broken. Buggery.
It turned out to be because I'd added mod_rewrite blocks to the .htaccess files for the subdomains, in order to redirect www.music.tetrap.com to the shorter music.tetrap.com. Apparently these rewrite blocks overrode the one in the .htaccess file for the domain as a whole, and that's where the voodoo for banning hotlinks was located. Fixing it was a matter of copying the appropriate hotlink prevention lines into the .htaccess files on both subdomains.
I now anticipate a flood of failed hotlink attempts, as no doubt people have been linking to album covers like mad.