Essentially, your resend protection is the same as your "cheat protection". It is easy to google, even on the toaster it was discussed more than once. Also, please note that not only re-sending, but also the first sending during registration can be abused.

the easiest option is to save the sending time in the session and check before sending

if (time() - $_SESSION['last_sms_send'] > 100) { 
    send(); 
    $_SESSION['last_sms_send'] = time();
}

but an attacker can delete the session cookie, as a result, a new session will start and the limit will not be taken into account.
so you need to save the time of sending and SP.
like radish
and similarly to the first option to check.
of course, who needs it badly - they will take a proxy and bypass such protection, but here you are unlikely to come up with something.

If for some reason your project needs registration via SMS confirmation, then you can simply be flooded with a stream of registrations. If SMS is expensive, don't use SMS.
Put counters on the server side (for example, in radishes or memcache), one key for the phone number, the second for IP (well, or something else, but you only know ip about the client and you know, http does not guarantee anything else), as values ​​- the date the SMS was sent. And just don't let them send messages more often than some sane time interval.

Yes, there are so many troubles that I didn’t even think about. Apparently you have to remove the confirmation code or come up with something better