The perceptual hashes used for this kind of thing are, necessarily, much more susceptible to collisions than cryptographic hashes - so it's not out of the question at all.
That's my guess as well. Could be a collision, or it might be he's in a corpus. Or he's been RATed and is not talking to Microsoft at all. I wasn't aware they required face pics to provide service.
No, TFA says the picture was associated to an old account that got flagged - presumably anything linked to that account, picture included, is now cursed.
TFA also says the police were involved. It seems unlikely MS would call the police just for a flagged account, or that if they did, the police would care.
I guess its a hash collision, but that is pretty crazy. Sounds like the plot to a scifi dystopia.