Here's a patch which addresses the issue. Instead of logging in as the KSSL principal, we now always log in as the hdfs/ principal. This change also allows us to trim down the set of principals who may legitimately hit the GetImageServlet to only the NN and 2NN hdfs/ principals, instead of those and the NN and 2NN host/ principals.
I missed this in my testing since I always had both the KSSL and SPNEGO principals configured in my conf, even though I was switching back and forth between using SPNEGO and KSSL. I tested this patch by ensuring that the KSSL principals were commented out when testing checkpointing with SPNEGO, and likewise that the SPNEGO principals were commented out when testing checkpointing with KSSL.