Thanks Mark,
My user initially had read only permissions on everything, ad R/W permissions only on a specific DAM folder.
This morning, as an experiment, i gave full permissions to the User on the entire CRX structure.
then the companion app was able to connect. After that i gradually removed all those permissions to find which one did the trick, but now i'm down to the original permission and my user still connects.
Looks like that one time admin privilege helped create a temp folder or profile somewhere, due to which my user connects seamlessly now.
FYI - i did not change my connection URL during these tests, since my User did have Read permissions through the /lc/content/dam structure,
I'm going to test read only use cases, and will post back if i notice any anomalies