So When you change the LM Compatibility Level" to krb only then only kerberos authentication is accepted by SVM.
So if client connects to SVM selecting NTLM authentication then SVM will fail the request.
I dont think the issue is because or the user account rather i think the client is trying to use NTLM authentication when connecting to SVM. Since KRB is the only authentication allowed , client fails to connect.
Wheneven client connects to SVM using IP address , only NTLM authentication will happen. So if LM Compatibility Level" to krb only then those client connections will fail.
If the issue is seen with VSCAN user account , then it could be because of VSCAN connection is not configured for Kerberos.
For Kerberos authentication to work for the AV communication, create a DNS entry[HOST(A) record] for the data LIF used for VSCAN connection and a service principal name[ use setspn -s to add SPN entry] on the DC corresponding to the DNS entry created for the data LIF. Use this name when adding a LIF to the AV Connector. The DNS should be able to return a unique name for each data LIF connected to the AV Connector.