As I understand the GPL, you could include a compiled binary of pandoc within the Tinderbox application bundle, as long as you made available the source code of that binary. For example, if you had to modify the pandoc code to add a “–tinderbox” argument for some reason, those changes would need to be available in source form under the GPL.
Aside from that, if it’s not linked in to the Tinderbox binary, you’re fine. From the GPLv3:
A compilation of a covered work with other separate and independent works, which are not by their nature extensions of the covered work, and which are not combined with it such as to form a larger program, in or on a volume of a storage or distribution medium, is called an “aggregate” if the compilation and its resulting copyright are not used to limit the access or legal rights of the compilation’s users beyond what the individual works permit. Inclusion of a covered work in an aggregate does not cause this License to apply to the other parts of the aggregate.
I suspect that stashing a binary copy inside the Tinderbox app is by far the easist path.