I ran into this same issue. I figured that Tumblr must have some sort of partnership in place with Facebook to get this special treatment ( ip whitelist? special api? ) — so I contacted my former Partnerships Rep at Facebook to enquire.
I got to speak with a platform engineer at Facebook about this, and I was totally wrong. There is nothing special going on.
The reason why all the domains running on Tumblr are validating fine with a single app_id, is that the facebook debug tool only checks the validity of the og_tag’s structure (at least when it comes to the app_id). It does not validate if the app_id is properly associated with the given domain.
You can test this by putting up a test page with the your app_id on two different domains — they’ll both validate as fine in the debug tool.
When it comes to actual Facebook API access, Tumblr does everything on their domain. When people do use Facebook buttons/etc on Tumblr, it is often through a third party proxy tool (like ShareThis) or with a non-api button embed. I couldn’t find a single custom-domain running on Tumblr that used the Facebook API or app_id related buttons. If you can, I’d love to see it.
It’s the not answer you want (or I want) — but that is what is happening. Tumblr’s app_id appears on all the domains, but only actually works on “.tumblr.com”; The Facebook debug tool doesn’t actually validate the app_id.