Your problem is that you seem to be that you're dealing with Facebook directly and then giving ACS the access token. That's not the ACS model for Facebook. The basic model is that ACS deals with Facebook first, not your app. The way this works is:
- The end user requests an access token from Facebook. This happens either directly though ACS (for example, by making a WS-Federation sign-in request) or to a URL specified by ACS (through IdentityProviders.js).
- The user logs in at Facebook.
- The auth code is sent to ACS.
- ACS exchanges the auth code for an access token and retrieves some user data. This is run through rules, packaged into a token, and sent to your RP. One of the claims in this token is the access token, which your RP can then use to make further Facebook calls.
ACS doesn't support a model where you get the access token yourself, which seems to be what you're trying to do.