Is this a core rule of apache to not move the password file out of the conf directory?
No. The password file can be located anywhere on disk as long as apache has permission to read it. My guess is that this may be a problem with permissions on the directory.
When apache runs it runs as root, so should be able to read all it's configuration files regardless of owner. The processes that are used to handle the incoming requests however do not run as root, and it is those that need to be able to read the password file. Typically this can run under one of the usernames nobody, apache or www-data, depending upon the distribution (or configuration). You should check that permission is given for the non-privileged user to be able to read and execute in the containing directory (and directories upwards of that), and to be able to read the password file.