The password hash in your cookie is what you should put in the password_hash query argument. But even then I regularly get a 503, I think it's just that danbooru is often overloaded and that causes a 503 return. It usually works after a while.
In normal HTML browsing, the 503 is only returned when you don't have an account or aren't logged in. I guess that logic doesn't apply to XML requests. This may be a bug or it may be intentional. Maybe the logic only checks the cookie, which an XML request wouldn't have.
I have the same problem with the IQDB update script. Maybe I should switch to using cookies instead.