UPDATE:
we found that the virtual networkname for the instance didnt have delegate trust for kerberos, so i enabled it, also we added the same SPNs as before but without .domain.com
restarted the sql server service
no change
moved the instance to another sql server host in the cluster
IT WORKS!
so, it would seem that there is something fishy with the host...
any ideas ?