The client could then exchange the user’s Facebook access token for an access token for the authorization server.

Does it mean you have 2 Authorization servers (one of Facebook and another – your private one) in mind? If yes – you’re abusing OAuth and should use Authorization Code Grant scheme instead.

On Figure 5 from OAuth 2.0 spec (v25) you can find workflow definition:

1. The resource owner provides the client with its username and password.

2. The client requests an access token from the authorization server’s token
   endpoint by including the credentials received from the resource owner. When
   making the request, the client authenticates with the authorization server.

3. The authorization server authenticates the client and validates the resource owner
   credentials, and if valid issues an access token.

This is a quote from Facebook http://developers.facebook.com/docs/guides/web/ :

In order to log the user into your site, three things need to happen. First, Facebook needs to authenticate the user. This ensures that the user is who they say they are. Second, Facebook needs to authenticate your website. This ensures that the user is giving their information to your site and not someone else. Lastly, the user must explicitly authorize your website to access their information. This ensures that the user knows exactly what data they are disclosing to your site.

In both places you have one and only one Authorization server – in your case – the Facebook.