What prevents unsolicited internet packets from using up my monthly data limit?

My home router can use port-forwarding to act as a server, so I assume all internet packets sent with my public IP address as a destination are hitting it (and just not getting any response from my router since I am not using the port-forwarding).

You're probably not getting any response because the router's firewall is set to quietly drop everything. Packets would be hitting it even if it didn't do port-forwarding, as long as it had a global (public) IP address.

However, the presence of a port-forwarding feature doesn't mean it'll actually work. With a cellular connection, it's very likely that your router doesn't have a public IPv4 address at all – most such connections are behind CGNAT (carrier-grade NAT, applied by your ISP), and so the IP address shown by "What is my IP" wouldn't really be your address.

So first look carefully at your router's status page, where the router itself (not any third-party website) shows your "WAN IP address". If it's a private address – including if it's an 100.64./10 address – then you are behind CGNAT and your router is not even receiving those packets at all.

(Though while you're there, don't forget to look for "WAN IPv6 address" to find out whether your ISP supports that yet. IPv6 addresses usually won't be affected by CGNAT, although they may still be firewalled as described below.)

Could one IP therefore just flood my router this way and quickly use up all of my monthly data cap limit?

In the simplest case, if you have a public IP address (whether it's IPv4 or IPv6) and are not behind an ISP-level firewall, yes they could.

If this is always a possibility, just like Denial-of-Service attacks, is there anything the internet backbone and my provider do to limit it?

Your provider might, although given how small the limits seem to be, they would likely not react in time (and they probably don't care that much, either). They're fully capable of blocking traffic to your individual IP, though, and can do it before it reaches the system responsible for accounting, if they wanted to.

The "internet backbone" doesn't care about what kind of traffic it carries, and the traffic it does carry is in volumes that would drain your limit in seconds anyway (with 100Gbps and 400Gbps links now being the norm), so there's no time to apply any additional filtering anyway.

(There is no single "internet backbone" and hasn't been for decades; it's privately managed by various carriers – the bunch of "Tier 1" carrier ISPs is what makes up the most of it. Besides that, a large chunk of "local" traffic goes directly via private peerings between ISPs rather than through carriers, making it invisible to the "backbone" anyway.)

Do cell phone data providers do more to prevent this since cell data caps are smaller?

Many such providers put their customers behind a stateful firewall at ISP level, so that inbound packets wouldn't be accepted at all if they do not belong to a known connection or flow (similar to how a router's or PC's stateful firewall works).

(Also, as long as we're talking only about IPv4, many cell network operators just don't issue their customers public IPv4 addresses directly at all – they implement CGNAT instead, which has a similar result to your router doing NAT without port forwarding: the inbound packets either stop at the ISP's CGNAT gateways, or sometimes don't even reach them at all.

The usual result¹ of being behind CGNAT is very similar to being behind a stateful firewall – you will receive replies to your own connections, but will not receive any "new" packets.

That being said, increasingly more ISPs and network operators support IPv6, and CGNAT is usually not applied to IPv6, but an ISP that applies CGNAT to IPv4 traffic can just as well apply a regular firewall to IPv6 traffic, so it's not an issue.)

But if you have a dedicated public IP address for your cellular connection, presumably having obtained it with the intent of receiving inbound connections (despite the data cap), then you've kind of opted in to receiving any kind of inbound packet.

¹ (Though that's not inherent to NAT or CGNAT – I've seen operators do 1:1 CGNAT in the past, for reasons other than address scarcity, and it did fully allow inbound packets due to being 1:1 mapped – but the vast majority of operators using CGNAT implement it just like your router does NAT; as you can see from the almost-weekly "why does my port-forwarding not work" threads we have here.)