We don't use instant clones, we use non-persistant linked clones. For endpoint protection we use Palo Alto Traps. The key thing with any endpoint clients is you need VDI support. With Traps, I have to install it on the golden image and configure it in VDI mode. This helps a little with performance by pre-scanning the entire golden image, but it's mainly so the Traps client licenses get released when the user logs out.
You may want to take a look at Cylance as it has a smaller footprint/overhead compared to traditional protection software.