Its a public IP on a vlan

a NTP server is running by default on that IP so i want to block everyone outside of our network to access that port on that IP to secure NTP from the outside world.

In which case apply the ACL on the internet edge of your network in the inbound direction.

what am i doing wrong?

What would the command be?

What do you have at the internet edge? Is it a firewall? Router with stateful firewall?

These are 3750's edge routers which connect direct to BGP.

Then you need you configure ip access-group <acl_name> in on the Layer3 interface (either SVI or routed switchport) which connects to your ISP.

I would be surprised if there isn't already an ACL present.

Can you share the running config for that interface?

I cant send you our config as it has sensitive informations and ip's and blocks and so on in it and would be a further security risk

We do use "ip prefix-list" to block actual IP's and blackhole them.

But we want to block an actual IP's Port not the entire IP as it would cause big issues.

I dont understand why "disable ntp" doesnt not work on the vlan and still keeps the port open. and why there is no global command to disable NTP on the switches.

The ntp disable command issued at the interface level stops ntp queries from being served on that particular Layer3 interface, ie it prevents and outside NTP peer from querying your NTP router. It does not stop NTP quires which are traversing the router. ie a NTP packet can still arrive on an ntp disable interface and be routed further into your network.

If you want to stop peering traffic on an interface and/or stop NTP transit traffic then you need to use an ACL.

We do not know anything about this environment or the context for the application of this acl and that makes it difficult to give good advice. My comment at this point is that there is a mismatch between what you post as the configuration of the acl

 deny   udp any any eq ntp

and what you post as the operation of the acl

10 deny udp any x.246.247.64 0.0.0.15 eq ntp

I'm a novice, but if I had to take a guess, it's the same reason you can't block incoming SSH from hitting a router interface, the access-group ACL is getting processed AFTER the SSH (or NTP) request is processed by the router (same reason that object-groups are garbage and don't work for things processed on the local router, but work on things passing through the router). 
The only way you can block SSH or NTP from a specific interface is likely with a control-plane policy.  CPPs are hard to get right the first time, I highly advise you "write memory" and set a reload timer (reload in 60) in case you lock yourself out before starting, that way WHEN you lock yourself out because of something you forgot it will reboot on the original config after an hour.

Also you could just block the NTP via a global ACL with:

ip access-list standard ACL_NTP_PEER
 permit 132.163.97.5  ! NIST time server
 deny any
!
ip access-list standard ACL_NTP_SERVE
 permit 192.168.0.0 0.0.255.255  ! local network
 deny any
!
ntp access-group peer ACL_NTP_PEER
ntp access-group serve ACL_NTP_SERVE
!
ntp server 132.163.97.5

but know that all incoming NTP hits peer first, then serve, so if you want to get time from somewhere add a permit to peer, if you only want to give time to a user/device add it to serve, but EVERYTHING will try to peer first, so if you don't want them to set your clock but still want them to get timing, deny them in peer first and permit in serve.

There are other commands for NTP ACLs besides peer and serve (serve-only, query-only) but those will likely screw up the NTP handshake on the distant end and confuse it.