I'd hardly call it a corner case. That part of GDPR was written very much in mind with the secondary-purposes bullshit that US companies do on the regular.
So first, to answer your question: a company can update its Privacy Policy and have it apply to data collected in the future. This is generally seen as OK to the extent that the data subject can decide to stop using the service if they don't like those terms. For a game, probably allowed.
But there's the thing: Unity doesn't directly control the Privacy Policy! The game dev interacts with the data subject (player), and is in theory the one responsible for putting a privacy policy in front of them. If the game dev is compliant, they mention they transfer data to Unity and link to the policy. But Unity has no way of pushing that terms have been updated. And the game dev sure as fuck isn't going to do that now.
In theory historical data is allowed to be processed for new purposes BUT Unity must inform the data subject they intend to do so. That will, uh, blow their cover. They've been trying to hide under the radar about their data collection.
Now aside from all this, there's a mighty issue involved that in the US would be called "standing." These are all rights of the data subject, i.e. the player. The game dev doesn't actually have these rights. Even if Unity is in the wrong here, the dev has not been wronged.
What the dev has is a claim that they are being billed based on data that was collected unlawfully, and they have to work towards claiming that the bill itself is therefore unlawful. That will be difficult to the extent that the dev is themselves complicit in the data collection, especially since a lot of them didn't put in "proper" privacy notices to their game.
One saving grace is that EU regulators tend to factor in the legal sophistication and power disparities between parties when figuring out who's responsible for this, in a way that the US assuredly dose not.