Can someone explain why request tokens must be exchanged for access tokens after user approval? Why not pretend the request token is the access token once the user has approved access?
Short Answer : To authenticate the Application.
Refer to YouTube's OAuth Process Flow Diagram
OAuth is a 3-Legged protocol. In this particular case, YouTube needs to authenticate two different entities - a) The user and b) The application who needs accss.
Now, after the user grants access (Step 10 in the diagram), YouTube knows that "User x wants to grant application Y access to YouTube". But it hasn't yet verified application Y. A rogue application can perform all the steps up to step 10 pretending to be a valid, known application - and such an action must be prevented.
In the last 3 steps, the application verifies itself to YouTube by signing the request. Once this is done, YouTube can safely provide an access token to the application.