The whitehat page explicitly says that you must “not interact with other accounts without the consent of their owners” in order to qualify for the bounty. So yes, apparently Facebook can deny payment and suspend your account if they can reasonably suspect that you violated someone's privacy during bug discovery.

However, it seems that if you don't give them any clues in your report, they'll close their eyes and won't investigate carefully that possibility.

An argument could be made it wasn't so much the discovery of the bug but rather the manner of reporting it that was a ToS violation.

The payment would ofcourse be for discovering the bug.