I figured out why there were duplicate packets.
Because I initially couldn’t find a non https download link I was running apache locally on the kali host itself to serve up both the original file as well as the evil replacement file.
This also ended up confusing me when I went to try to target the windows vm as after after running arp spoof I could see all traffic going to/from internet from the windows machine
but couldn’t see any of the requests made from the windows machine to the kali machine itself. In my overly complicated setup I had to add the iptables INPUT/OUTPUT rules as well as the FORWARD rules so I could see traffic directed to the kali host as well.