ISPs are now adding unique header identifiers to web traffic. Can this be avoided? If so, how?

The easiest way to avoid interception/modification of your web traffic is one that you mention in the question which is to use a VPN. This will encrypt traffic between your device and the VPN endpoint and should prevent your ISP from being able to modify web headers or other aspects of your use.

There are VPN clients for most modern mobile operating systems (e.g. OpenVPN which has clients for android and iOS).

One thing to note though is that is using a VPN you are trusting the VPN provider to an extent so it's worth spending some time looking at VPN providers to find one that you're comfortable with. In particular I'd be a bit suspicious of providers who are free as there is a question of how they make money from the service if it's not directly from their customers.

Avoiding the tracking codes is most important for sites to which you don't identify yourself / your device anyway, i.e., anonymous surfing.

Using Tor is the best option since you don't have to trust any VPN provider. VPN is the second best, and you can probably find a VPN provider that you trust at least somewhat more than your mobile carrier. Third best is use HTTPS exclusively since the tracking IDs can't be injected into HTTPS transactions - but this also means there are many sites you wouldn't be able to visit.

AT&T says they change their X-ACR header code for you every 24 hours, so you could conceivably ration your anonymous unprotected surfing to a an acceptable minimum each day.

The reality though is that anything you do over HTTP is subject to mobile carrier monitoring, even if they choose not to act on it by, for example, targeting ads to you based on your online behaviors.

Use a VPN service for privacy. To explain how this helps, let's look at how and why your ISP is modifying your IP packets with a unique identifier:

Normal internet browsing (you don't use a VPN):

-Your ISP puts a unique header on all your traffic

-Your ISP sees any DNS requests you make, which is the first step your browser takes whenever visiting a new web site.

-Your ISP builds a database, matching your DNS queries to your Unique ID

-Your ISP now monitizes that information by selling their database to ad networks

-You visit a web site with an ad network. They see unique identifier and tailor the ads you see there.

-Result: ISP Profit, and advertisers that are able to tailor ads to your interests

Now if you use an VPN:

-You send packets to your VPN (they still pass through your ISP, but contents are encrypted)

-Your ISP can't see what DNS queries your browser asks about.

-Your ISP builds their database, and it shows the only place you ever ask about or visit is your VPN.

-Your ISP can still stick a unique ID in your packet headers

-Your ISP sells their database to advertiser networks.

-Your traffic headers are stripped off by your VPN when they decrypt your packet and route them onward.

-Your packets reach your preferred web site with no unique ID attached.

-Even if the ad network figures out who you are, the database only links you to your VPN, not any other site.

-Result: The database isn't worth much to the ad network so the ISP is not rewarded for it's efforts

-Result #2: the ad network will probably use traditional methods (3rd party cookies) instead of ISP database to attempt to tailor ads.

Note that if you have (pre VPN use) entries in the database and the advertisers can link you somehow (cookies) with your ISP unique ID, they can still target you (even after you start using a VPN) with ads targeting your (pre VPN) web history.

As far as opting out goes: even if your ISP is not putting unique identifiers on your packets, they can still build a database of all the sites you like to visit, and sell that database to ad networks. The ad network has to work a little harder to tailor ads because they don't have the identifier. Using a VPN prevents the ISP from building any database of your behavior (other than data usage/volume and times that you surf; i.e. some metadata), so a VPN helps in this case as well.