No, they’re not possible. Yes, the auth server would return an error because the token is retrieved by the server out-of-band (Mallory can’t intercept via the browser) and must provide its credentials to Facebook to retrieve said token.

Additionally, Facebook SHOULD check that the client using the code is the same client that initiated the OAuth flow.