From real ways.
1. You place a router on another channel and send already limited traffic from it to your channel.
2. Buy cloud-based DDOS protection.
The first option is likely to be cheaper. You place a virtual router on the hosting and limit the link towards your router, but why not immediately host the site on this hosting. But the second option is preferable.
Most importantly, it is not clear to whom and why to arrange such an attack on your site.
If you want to do something just in case, make your site a separate ip, in which case it will be possible to block only it from the provider, and change the DNS record for the site. For sites that are simple and not too critical in a few hours, this will be enough.

Short answer: you can't.
If a packet arrives at your external IP address, that is, at your border router, you can basically do two things with it: accept (and for example forward to a server on your home network) or not accept (drop). In both cases, the packet has already come to you and has already taken up part of the bandwidth of your channel. You no longer have any control over incoming traffic. An attacker can flood your SYN channel with packets to any port , open or closed. This is why DDoS works.
The only way to make sure that these packets do not occupy your channel is not to send them there, that is, to drop them even earlier, on the provider's router. And if they really start dosing you, then the provider will do it, rest assured! He will cut off your link much earlier than your channel gets clogged.

Is it possible, and if so, how exactly, to restrict traffic to a specific port (s)?

This can be done by a provider or a third-party service for a decent fee.
Providers usually do not do this - it is easier for them to disconnect a problem subscriber.

Well, for example, I have a 400/40 channel, I could allocate 200/20 for the site, and the rest for the home network

With DDOS, a channel will fall from the provider to you, and there will be no Internet access.
And within your local network, you can share anything.

In principle, if your provider is ready to divide your channel into two VLANs and configure QoS in it in such a way that each VLAN has some guaranteed bandwidth, then why not?
It is usually possible to do this on the part of the provider, but - too lazy)
And there is also a technical possibility to weed out DDoS on your part, however, for this you will either have to use the service of cleaning traffic from the provider or a specialized office, or - the most "frontal" way - to raise it with your BGP provider + BGP Flowspec.
I guess commercial issues are usually discussed separately)
So, BGP Flowspec: RFC 5575/7674.
In short, BGP Flowspec will allow you to ask for an upstream provider even in automatic - important! - block incoming traffic that meets certain criteria:
- Source Prefix
- Destination Prefix
- IP Protocol
- Source port/Destination port
- Packet Length
, etc.
That is, using the standard extension of the BGP protocol, you can ask your provider: "Please do not let UDP packets in size from 100 to 150 bytes with a source port in the range 1000-2000 and a Source ip address in the range 1.2.3.0 pass in my direction /24"
Thus - yes, the traffic that you asked not to pass to you will die at your provider (and maybe at your provider's provider), and your channel will not be overloaded.
Of course, the creative question remains open "how to understand which traffic should be blocked")
It probably makes sense to use BGP Flowspec _jointly_ with channel separation into two VLANs with a guaranteed minimum bandwidth: one VLAN for management and, if necessary, manual modification of the Flowspec rules , and the second one is productive.