The authorization request which includes the hash requires also login and password and it is a POST request. Therefore, a redirect would not work.

However, if PKCE was incorrectly implemented in the frontend application and for example you could somehow inject the hash that would be later sent by application in authentication request, your scenario would work, but still you would need open redirect vulnerability on the auth server to get the code.