Individuals can see their own vote, and who they voted for, right?
If that's the case, it would be evidence that an individual voted for a specific candidate. This is, essentially, proof for anyone who'd want to purchase votes.
If they can't see who they voted for, they'd need some alternative way to verify that their vote counted for the candidate they wanted to vote for, without actually disclosing who that candidate is. Which would add some complexity to the solution.
You could also add a second layer of security here pretty easily. People would probably need to be given a printout with their hash on it. To avoid this receipt being proof, that receipt would include a large number of hashes with various voting combinations also shown. The voter knows which hash is his, but nobody else does. And he's free to claim whichever one he likes for himself.
To solve the issue of first voters (when there would be no other valid hashes for their printout) simply seed all candidates with a billion votes to start. Which hash is real and which is 'fake' is irrelevant since all that matters is the sum total of which we know 1 billion are to be removed.
How would that work? If they would get any hash that is not bound to them in any verifiable way, how does that prove to THEM that they are verifying their own vote?
If that's the case, it would be evidence that an individual voted for a specific candidate. This is, essentially, proof for anyone who'd want to purchase votes.
If they can't see who they voted for, they'd need some alternative way to verify that their vote counted for the candidate they wanted to vote for, without actually disclosing who that candidate is. Which would add some complexity to the solution.